[42681] in North American Network Operators' Group
Re: Pattern matching odd HTTP request
daemon@ATHENA.MIT.EDU (Karsten W. Rohrbach)
Tue Sep 18 19:52:29 2001
Date: Wed, 19 Sep 2001 01:51:30 +0200
From: "Karsten W. Rohrbach" <karsten@rohrbach.de>
To: Bill McGonigle <mcgonigle@medicalmedia.com>
Cc: Jake Khuon <khuon@GBLX.Net>, mike@biggorilla.com,
nanog@merit.edu, brian@collab.net
Message-ID: <20010919015130.A39889@mail.webmonster.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo"
Content-Disposition: inline
In-Reply-To: <B49B3647-AC88-11D5-9707-003065EAE3C0@medicalmedia.com>; from mcgonigle@medicalmedia.com on Tue, Sep 18, 2001 at 06:58:42PM -0400
Errors-To: owner-nanog-outgoing@merit.edu
--envbJBWh7q8WU6mo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Bill McGonigle(mcgonigle@medicalmedia.com)@2001.09.18 18:58:42 +0000:
>=20
> On Tuesday, September 18, 2001, at 06:30 PM, Jake Khuon wrote:
> >
> > You start to suspect a DDOS port-flood attack. It's certainly causing=
=20
> > me to
> > spawn a lot of httpds and occupying a lot of ports.
[...]
> On Apache 1.3, this brings the number of httpd processes up to=20
> MaxClients, then each one waits 300 seconds (the default timeout) for=20
> the connections to time out, at which point the other connections are=20
> made, and the cycle continues. A DDOS of this nature would be=20
> particularly nasty. One client (happened to be on localhost) tied up=20
> the server for 6 minutes this way with the default Apache config.
indeed, that's nasty.
the quick fix action would be setting
Timeout 5
in the httpd.conf, but this won't really fix the problem and make the
objects inaccessible for users with high latency links.
source ip based connection rate limiting would perhaps solve the
problem. are there any modules available out there to accomplish this
task?
>=20
> Here's what the logfile for these attempts looks like:
>=20
> 127.0.0.1 - - [18/Sep/2001:18:43:06 -0400] "-" 408 -
>=20
> Doh!
yup, i see them from time to time in some of my servers' logs, but not
at that rate jake reported. i cc'ed brian from the apache project,
perhaps they got some solution for this...
/k
--=20
> CS Students do it in the pool.
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B=
F46
Please do not remove my address from To: and Cc: fields in mailing lists. 1=
0x
--envbJBWh7q8WU6mo
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7p94CM0BPTilkv0YRAk+UAJ9bB10bB6QVDLllKYlGXbuMw4zyGQCghJQU
qhdIsDjG9gbVI6Xcy6enD84=
=El0j
-----END PGP SIGNATURE-----
--envbJBWh7q8WU6mo--
