httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant <emailgr...@gmail.com>
Subject Re: [users@httpd] Re: apache service interruption
Date Fri, 02 Aug 2013 05:49:59 GMT
> Truthfully, I've always limited connections from the source IP via a
> firewall before the traffic is even passed to apache.

Do you do this only when under DoS attack or all the time?

Won't you potentially prevent legitimate users from making a single
connection if they're connecting with a shared IP from a university
campus (for example)?

How is this accomplished with iptables?

- Grant


>>> Two different things come to mind.  Kingcope found an Apache byterange
>>> vulnerability and the PoC code he wrote for it exhausts the resources on
>>> a
>>> server running Apache.  Only 1 instance of his perl script had to be ran.
>>> LOIC is another that could possible DoS your server from one source. What
>>> IP address was hitting your box when this happened?
>>
>>
>> I'd rather not post the IP if that's OK.  I did notice my access_log
>> entries were out of chronological order for the IP address in
>> question.  Does that indicate a Slowloris attack?  Maybe it's just the
>> result of the server bogging down in response to so many requests in a
>> short amount of time.
>>
>> So I'm sure I understand, a regular browser or unsophisticated script
>> shouldn't be able to interrupt apache service by simply requesting a
>> large number of pages in a short amount of time?  If not, how does
>> apache prevent that from happening?
>>
>> - Grant
>>
>>
>>>>> You wouldn't keep a syn proxy rule enabled all the time; only under a
>>>>> DoS
>>>>> attack.  You could also implement ModSecurity.
>>>>
>>>>
>>>>
>>>> ModSecurity looks good and I think it works with nginx as well as
>>>> apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
>>>> vulnerable to a single client requesting too many pages and
>>>> interrupting the service?
>>>>
>>>> - Grant
>>>>
>>>>
>>>>>>> Also, you should be able to limit simultaneous client connections
>>>>>>> with
>>>>>>> your
>>>>>>> firewall and pass the traffic in a syn proxy state. There are
>>>>>>> numerous
>>>>>>> ways
>>>>>>> to achieve this.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Is that the best way to go besides OSSEC HIDS?  I can imagine that
>>>>>> sort of thing could cause problems.
>>>>>>
>>>>>> - Grant
>>>>>>
>>>>>>
>>>>>>>> You can always compile from source ;)
>>>>>>>> What version of Apache are you running?
>>>>>>>>
>>>>>>>> On 07/29/2013 02:59 AM, Grant wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Was it just an IP exhausting the apache service with
too many
>>>>>>>>>> connections?  What do you see in the access logs?
 I use OSSEC
>>>>>>>>>> HIDS
>>>>>>>>>> on
>>>>>>>>>> my
>>>>>>>>>> apache servers to mitigate this.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> In the access log I see the same IP made many requests
during the
>>>>>>>>> service interruption and I think that exhausted the apache
service.
>>>>>>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS.
 Is there
>>>>>>>>> another way to prevent this sort of thing?
>>>>>>>>>
>>>>>>>>> - Grant
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>>> My server has 4GB RAM and uses nginx as a
reverse proxy to
>>>>>>>>>>>> apache.
>>>>>>>>>>>> A
>>>>>>>>>>>> little while ago my website became inaccessible
for about 30
>>>>>>>>>>>> minutes.
>>>>>>>>>>>> I checked my munin graphs and it looks like
apache processes
>>>>>>>>>>>> spiked
>>>>>>>>>>>> to
>>>>>>>>>>>> about 29 during this time which is many times
greater than
>>>>>>>>>>>> usual.
>>>>>>>>>>>> I
>>>>>>>>>>>> have MaxClients at 30 and the error log verifies
that MaxClients
>>>>>>>>>>>> was
>>>>>>>>>>>> not reached.  The strange part is system
disk latency shows a
>>>>>>>>>>>> spike
>>>>>>>>>>>> during the interruption which is only very
slightly greater than
>>>>>>>>>>>> other
>>>>>>>>>>>> spikes which did not interrupt service. 
System CPU, memory, and
>>>>>>>>>>>> swap
>>>>>>>>>>>> usage don't show anything interesting at
all.
>>>>>>>>>>>>
>>>>>>>>>>>> Does this make sense to anyone?  Should I
decrease MaxClients?
>>>>>>>>>>>>
>>>>>>>>>>>> - Grant
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I've looked over my access_log and I can see
there is a
>>>>>>>>>>> particular
>>>>>>>>>>> IP
>>>>>>>>>>> which was making many requests during the interruption.
 Since
>>>>>>>>>>> munin
>>>>>>>>>>> does not show there was an excessive amount of
memory or CPU
>>>>>>>>>>> usage,
>>>>>>>>>>> lowering MaxClients won't help?
>>>>>>>>>>>
>>>>>>>>>>> - Grant

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message