httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject MSIE 3.01 on Windows NT Considered Harmful
Date Mon, 16 Dec 1996 06:33:10 GMT

It launches denial of service attacks in a manner very similar to the recent
Panix attacks, apparently.

Although the message below is old, this same thing has happened several times
since then, and three times this weekend alone.  The common trait amongst all
these failures is that one host, while making some legitimite accesses, will
very rapidly fill up the connections table with "ESTABLISHED" connections, each
of which appears to consume an httpd child, until eventually MAX_CLIENTS is
hit.  And the UA which each host appears to use? 

  Mozilla/2.0 (compatible; MSIE 3.01; Windows NT)

THIS IS CONSISTANTLY THE BROWSER USED.  I have not been able to reproduce this
yet with this browser and OS against our server, and there have been many
successful sessions against Organic's servers with people using this UA (for
longer sessions, too).  I also have seen lots of accesses from folks using
Netscape on NT without a problem like this, as well as MSIE pre-3.0, so I am
pretty confident this is an MSIE 3.01 NT bug.

Wow, two browser problems in two days.  Since this one is leading to a
denial of service attack I am close to putting in a "deny from" line.  If
anyone thinks it might be worth forwarding this to other newsgroups feel
free, or to the press if you can confirm it.  I've anonymized which
client was getting this spam.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS

---------- Forwarded message ----------
Date: Mon, 9 Dec 1996 22:41:15 -0800 (PST)
From: Brian Behlendorf <brian@organic.com>
To: Bryce Ryan <brycer@organic.com>
Subject: Re: netstat taken during apache "failur"

On Sat, 7 Dec 1996, Bryce Ryan wrote:
> this morning, when the web servers appeared to fail on nonfat, i
> took a netstat -a.  here are the results.  hope they are useful.

[snip]

>    Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State
> -------------------- -------------------- ----- ------ ----- ------ -------
> v-189.organic.com.80 mark.dorms.american.edu.1166  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1167  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1168  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1169  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1170  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1171  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1172  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1173  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1174  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1175  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1176  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1177  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1178  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1179  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1180  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1181  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1182  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1183  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1184  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1185  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1186  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1187  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1188  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1189  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1190  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1192  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1191  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1193  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1194  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1195  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1196  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1197  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1198  8760      0  8760      0 ESTABLISHED
> v-189.organic..com.80 mark.dorms.american.edu.1199  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1200  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1201  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1202  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1203  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1205  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1206  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1207  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1208  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1209  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1210  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1211  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1212  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1213  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1214  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1215  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1216  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1217  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1218  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1219  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1220  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1221  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1222  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1223  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1224  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1225  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1226  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1227  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1229  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1228  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1230  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1231  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1232  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1233  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1234  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1235  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1236  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1237  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1238  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1239  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1240  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1241  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1242  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1243  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1244  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1245  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1246  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1247  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1248  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1251  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1252  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1253  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1254  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1255  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1256  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1258  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1259  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1260  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1261  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1262  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1263  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1264  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1266  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1267  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1269  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1268  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1270  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1271  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1272  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1273  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1274  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1275  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1277  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1278  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1279  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1280  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1281  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1282  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1283  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1284  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1285  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1286  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1287  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1288  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1289  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1290  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1291  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1292  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1294  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1295  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1296  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1297  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1298  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1299  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1300  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1301  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1302  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1308  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1309  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1310  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1311  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1312  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1314  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1313  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1315  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1316  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1317  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1319  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1321  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1322  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1318  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1320  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1324  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1325  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1326  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1327  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1328  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1329  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1330  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1331  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1332  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1333  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1334  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1335  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1336  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1337  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1338  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1339  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1340  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1341  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1305  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1306  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1342  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1307  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1343  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1344  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1345  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1346  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1347  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1348  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1349  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1350  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1351  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1352  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1353  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1354  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1355  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1356  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1357  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1358  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1359  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1323  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1360  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1361  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1363  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1362  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1364  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1365  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1366  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1367  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1368  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1369  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1370  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1371  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1372  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1373  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1374  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1375  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1376  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1377  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1378  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1379  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1380  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1381  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1382  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1383  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1384  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1385  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1386  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1387  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1388  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1389  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1390  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1391  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1392  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1393  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1394  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1396  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1398  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1395  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1397  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1399  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1400  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1402  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1401  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1403  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1404  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1405  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1406  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1407  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1409  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1408  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1410  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1411  8760      0  8760      0 ESTABLISHED
> v-189.organic.com.80 mark.dorms.american.edu.1412  8760      0  8760      0 ESTABLISHED

Shit!  Looks like a denial of service attack to me!  If you consider each one
of these established connections to be a child process on nonfat, (going to the
www.ourclient.com site), no wonder the connections were swamped.  In looking
through the logs, I see that someone from that address started connecting to
the www.ourclient.com site around 8:30AM, made about 80 regular normal
HTTP requests over the course of a few minutes, i.e.

  www.ourclient.com|147.9.157.51|GET / HTTP/1.0|text/html|
    200|1996/12/07-08:31:03|-|353|Apache=1474029849976263158; path=/|-|-|
    Mozilla/2.0 (compatible; MSIE 3.01; Windows NT)

and then 20 minutes later the log has about ten jillion hits which look like

  www.ourclient.com|147.9.157.51|-|-|200|1996/12/07-08:54:32|-|-|-|-|-|-

for the next two minutes, and then nothing.  This is very bizarre, it's as if
a connection was made, two linefeeds came in, and then nothing.  

In looking at the error logs, I see a preponderance of the following error
message around this time:

  [Sat Dec  7 08:37:39 1996] accept: Protocol error
  [Sat Dec  7 08:37:39 1996] - socket error: accept failed

I see the server getting this error about once every 10 minutes in the course
of normal operation, but right about this time the number of errors just
exploded.  

I just put the new Apache in, which does have some fixes in signal handling
which may be related; in addition to doing a "netstat -f inet -n", we should
keep around the httpd error logs from that time, and a note of exactly when the
restart took place should be made.  

I'll ask on the Apache list for insight into the error message above.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS






Mime
View raw message