Re: Jammed WebSite

[Kee Hinckley <nazgul () SOMEWHERE COM>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In a past life I twice helped build Boston's First Night site.  Both
times the ISP was overloaded as midnight approached.

At 1:57 PM -0400 7/26/00, David Hibbeln wrote:
>  > no evidence of DoS or other attack. One administrator stated that due to
> >  the volume of hits he could not access the machine, had to turn it off,
>  > and then quickly get inside for review before the hits built up

That's definitely consistent with a server overload.  The issue is
that some servers may not be configured to throttle connections
properly.  If they are so configured, then when the load and number
of connections hit a certain level it would just start refusing
connections.  However if they *don't* throttle, all hell breaks lose.
The machine starts running out of memory resources, causing simple
operations to take huge amounts of time.  The problem quickly gets
worse, because as soon as it passes that threshold, normal requests
aren't processed in time, so they sit there eating up resources such
as open file descriptors and sockets.  Typically the only way out is
to either unplug the network connection and let it settle down, or
just reboot the machine.

>  > and provided a munged link to jya.com:
> >    http://jya.com/crypto.htmhttp://jya.com/crypto.htm
> >
> >  Thousands of hits on this non-existent file began to appear in the
> >  error log, and there have now been tens of thousands of them (maybe in

If you can get referrer field information on that it would be
helpful.  I suspect you'll find they all came from a single site
which had (but may not have any more) a typo in its link.  It's not
uncommon.  Something like <a
href="http://jwa.com/crypto.htmhttp://jya.com/crypto.htm</a> might
cause it.

>  > (1)  (32)Broken pipe: accept: (client socket)

Sounds like the machine ran out of sockets, or else it's forking off
new processes which are promptly dieing.  Is the site pure HTML, or
are things being pre-processed by CGI?

>  > (2)  [warn] child process 736 still did not exit, sending a SIGTERM

A hosed server process might cause that, or just a system load so bad
that some processes didn't exit in time.

>  > (4)  Site site1 has invalid certificate: 4999 Certificate files
> >  do not exist.

That's an odd one.  Given everything else I'm inclined to just blame
something being out of resources, but I can't speculate on the
specifics.  All told though, it sounds to me like a very overloaded
web server.  When a server starts running out of file descriptors,
things start breaking everywhere.  It should have been configured to
throttle connections to a more appropriate level, but I don't see
anything malicious in it.

That said, the easiest DOS attack against a web server would be to
simply overload it with web requests.  However a log report on the
address of visitors and the referral information should give you a
reasonable indication of whether it's that.
- --

Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOX9fDyZsPfdw+r2CEQLNygCdEQsSFTF5SHkOoN1atJDcpdoIwhsAoM1C
p0XA5BB/nzP9vlVghgIh0HQD
=xpZX
-----END PGP SIGNATURE-----