Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 12423 invoked by uid 6000); 3 Feb 1998 03:20:24 -0000
Received: (qmail 12411 invoked from network); 3 Feb 1998 03:20:22 -0000
Received: from valis.worldgate.com (marcs@198.161.84.2)
  by taz.hyperreal.org with SMTP; 3 Feb 1998 03:20:22 -0000
Received: from localhost (marcs@localhost)
	by valis.worldgate.com (8.8.7/8.8.7) with SMTP id UAA17103;
	Mon, 2 Feb 1998 20:20:21 -0700 (MST)
Date: Mon, 2 Feb 1998 20:20:20 -0700 (MST)
From: Marc Slemko <marcs@worldgate.com>
To: new-httpd@apache.org
cc: Eric Liu <eliu@linkexchange.com>
Subject: Re: yaDoS
In-Reply-To: <9802021619.aa22880@paris.ics.uci.edu>
Message-ID: <Pine.BSF.3.95q.980202200835.6464r-100000@valis.worldgate.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

This isn't a new issue and has been looked at, but the thing with it is
that you require a real IP to do it and it shouldn't be that hard to
simply see what IPs are doing it then filter them.

Someone (Ed Korthof <ed@organic.com>?) wrote a patch once to do limiting
based on this, but it is a bit ugly and needs refining and was against
1.2bsomething to start I think.  Not sure if he has a more recent one...

On Mon, 2 Feb 1998, Roy T. Fielding wrote: 

> 
> ------- Forwarded Message
> 
> Message-ID: <01BD2FF4.7C264350@LE104>
> From: Eric Liu <eliu@linkexchange.com>
> To: "'fielding@kiwi.ics.uci.edu'" <fielding@kiwi.ics.uci.edu>
> Subject: Possible Apache Denial of Service Attack
> Date: Mon, 2 Feb 1998 16:06:12 -0800
> 
> Roy,
> 
> You don't know me, but to establish a connection :),
> I am a UC alum who is now an engineer at LinkExchange,
> which serves 6 million hits per day on Apache.
> I saw your post to usenet below, and I think we have
> come across a possible Denial of Service attack on Apache.
> Basically, the method is to spawn many clients that simply
> connect and do nothing else.  Apache will not disconnect
> them until a timeout of 60 seconds occurs.  This causes
> the number of processes to quickly ramp up to MaxClients,
> effectively disabling the server.  The errors that occur are as
> in the post that you replied to below.
> 
> Forgive me if this email should have gone to the apache mail list, 
> but we believe that LinkExchange is currently being attacked with 
> this method currently (we've been down for several hours today).
> Any information you could provide about this topic would be
> appreciated.  For now, we will just try setting DEFAULT_TIMEOUT 
> to a much lower number.
> 
> Thanks,
> Eric
> 
> Eric Liu
> LinkExchange. Powered by People.
> (415)543-4435 x112
> eliu@linkexchange.com
> 
> ####################################################################
> > read request line timed out for <IP address>
> 
> This is a client connection which was hosed so bad that the client either
> exited the network (crashed) or was rerouted through two cans and a string
> or was stuck in your TCP listen queue and aborted just after the connection
> was accepted.  Basically, the server got a connection but no request.
> 
> If you get a lot of these ones (more than 1 in ten thousand) then you
> probably have network problems.  Be sure your listen queue is set higher
> than the Solaris default (5) -- much higher.  The Solaris FAQ probably
> explains how to do that for SunOS 5.5.1.
> 
> 
> ------- End of Forwarded Message
>