httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@kiwi.ics.uci.edu>
Subject yaDoS
Date Tue, 03 Feb 1998 00:16:47 GMT

------- Forwarded Message

Message-ID: <01BD2FF4.7C264350@LE104>
From: Eric Liu <eliu@linkexchange.com>
To: "'fielding@kiwi.ics.uci.edu'" <fielding@kiwi.ics.uci.edu>
Subject: Possible Apache Denial of Service Attack
Date: Mon, 2 Feb 1998 16:06:12 -0800

Roy,

You don't know me, but to establish a connection :),
I am a UC alum who is now an engineer at LinkExchange,
which serves 6 million hits per day on Apache.
I saw your post to usenet below, and I think we have
come across a possible Denial of Service attack on Apache.
Basically, the method is to spawn many clients that simply
connect and do nothing else.  Apache will not disconnect
them until a timeout of 60 seconds occurs.  This causes
the number of processes to quickly ramp up to MaxClients,
effectively disabling the server.  The errors that occur are as
in the post that you replied to below.

Forgive me if this email should have gone to the apache mail list, 
but we believe that LinkExchange is currently being attacked with 
this method currently (we've been down for several hours today).
Any information you could provide about this topic would be
appreciated.  For now, we will just try setting DEFAULT_TIMEOUT 
to a much lower number.

Thanks,
Eric

Eric Liu
LinkExchange. Powered by People.
(415)543-4435 x112
eliu@linkexchange.com

####################################################################
> read request line timed out for <IP address>

This is a client connection which was hosed so bad that the client either
exited the network (crashed) or was rerouted through two cans and a string
or was stuck in your TCP listen queue and aborted just after the connection
was accepted.  Basically, the server got a connection but no request.

If you get a lot of these ones (more than 1 in ten thousand) then you
probably have network problems.  Be sure your listen queue is set higher
than the Solaris default (5) -- much higher.  The Solaris FAQ probably
explains how to do that for SunOS 5.5.1.


------- End of Forwarded Message


Mime
View raw message