httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: yaDoS
Date Tue, 03 Feb 1998 03:20:20 GMT
This isn't a new issue and has been looked at, but the thing with it is
that you require a real IP to do it and it shouldn't be that hard to
simply see what IPs are doing it then filter them.

Someone (Ed Korthof <ed@organic.com>?) wrote a patch once to do limiting
based on this, but it is a bit ugly and needs refining and was against
1.2bsomething to start I think.  Not sure if he has a more recent one...

On Mon, 2 Feb 1998, Roy T. Fielding wrote: 

> 
> ------- Forwarded Message
> 
> Message-ID: <01BD2FF4.7C264350@LE104>
> From: Eric Liu <eliu@linkexchange.com>
> To: "'fielding@kiwi.ics.uci.edu'" <fielding@kiwi.ics.uci.edu>
> Subject: Possible Apache Denial of Service Attack
> Date: Mon, 2 Feb 1998 16:06:12 -0800
> 
> Roy,
> 
> You don't know me, but to establish a connection :),
> I am a UC alum who is now an engineer at LinkExchange,
> which serves 6 million hits per day on Apache.
> I saw your post to usenet below, and I think we have
> come across a possible Denial of Service attack on Apache.
> Basically, the method is to spawn many clients that simply
> connect and do nothing else.  Apache will not disconnect
> them until a timeout of 60 seconds occurs.  This causes
> the number of processes to quickly ramp up to MaxClients,
> effectively disabling the server.  The errors that occur are as
> in the post that you replied to below.
> 
> Forgive me if this email should have gone to the apache mail list, 
> but we believe that LinkExchange is currently being attacked with 
> this method currently (we've been down for several hours today).
> Any information you could provide about this topic would be
> appreciated.  For now, we will just try setting DEFAULT_TIMEOUT 
> to a much lower number.
> 
> Thanks,
> Eric
> 
> Eric Liu
> LinkExchange. Powered by People.
> (415)543-4435 x112
> eliu@linkexchange.com
> 
> ####################################################################
> > read request line timed out for <IP address>
> 
> This is a client connection which was hosed so bad that the client either
> exited the network (crashed) or was rerouted through two cans and a string
> or was stuck in your TCP listen queue and aborted just after the connection
> was accepted.  Basically, the server got a connection but no request.
> 
> If you get a lot of these ones (more than 1 in ten thousand) then you
> probably have network problems.  Be sure your listen queue is set higher
> than the Solaris default (5) -- much higher.  The Solaris FAQ probably
> explains how to do that for SunOS 5.5.1.
> 
> 
> ------- End of Forwarded Message
> 


Mime
View raw message