httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <dirk.vangu...@jrc.it>
Subject Re: yaDoS
Date Tue, 03 Feb 1998 09:00:23 GMT

Hmm, we saw something simmilar; we did three things;  increase the listen
queue size of the kernel, this costs very little in memory footprint or
perfomance, put down the timeout a bit and reved up max client. This
caused the situation to be managable; given the limtied (1.5 Mbit)  link
to the server.

Note that you need a valid IP & route for this; so it should be easy to
track down the culprits; and perhaps do some filtering/blocking at router
level.

Also have a look at the attached patch; it effectively puts a second
(short) timeout in; plus logging; between the initial accept and the
actual first char accepted.  (It does interfere however with some
keep-alive stuff). 

Dw

On Mon, 2 Feb 1998, Roy T. Fielding wrote:

> 
> ------- Forwarded Message
> 
> Message-ID: <01BD2FF4.7C264350@LE104>
> From: Eric Liu <eliu@linkexchange.com>
> To: "'fielding@kiwi.ics.uci.edu'" <fielding@kiwi.ics.uci.edu>
> Subject: Possible Apache Denial of Service Attack
> Date: Mon, 2 Feb 1998 16:06:12 -0800
> 
> Roy,
> 
> You don't know me, but to establish a connection :),
> I am a UC alum who is now an engineer at LinkExchange,
> which serves 6 million hits per day on Apache.
> I saw your post to usenet below, and I think we have
> come across a possible Denial of Service attack on Apache.
> Basically, the method is to spawn many clients that simply
> connect and do nothing else.  Apache will not disconnect
> them until a timeout of 60 seconds occurs.  This causes
> the number of processes to quickly ramp up to MaxClients,
> effectively disabling the server.  The errors that occur are as
> in the post that you replied to below.
> 
> Forgive me if this email should have gone to the apache mail list, 
> but we believe that LinkExchange is currently being attacked with 
> this method currently (we've been down for several hours today).
> Any information you could provide about this topic would be
> appreciated.  For now, we will just try setting DEFAULT_TIMEOUT 
> to a much lower number.
> 
> Thanks,
> Eric
> 
> Eric Liu
> LinkExchange. Powered by People.
> (415)543-4435 x112
> eliu@linkexchange.com
> 

ERROR: 5 - Note < 180 bytes


Mime
View raw message