Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 89853 invoked from network); 15 Oct 2003 18:56:15 -0000 Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12) by minotaur-2.apache.org with SMTP; 15 Oct 2003 18:56:15 -0000 Received: (qmail 76739 invoked by uid 500); 15 Oct 2003 18:55:37 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 76720 invoked by uid 500); 15 Oct 2003 18:55:37 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 76633 invoked from network); 15 Oct 2003 18:55:36 -0000 Received: from unknown (HELO 45pc232.sshunet.nl) (131.211.232.45) by daedalus.apache.org with SMTP; 15 Oct 2003 18:55:36 -0000 Received: from kanarip (178pc232.sshunet.nl [131.211.232.178]) (authenticated bits=0) by 45pc232.sshunet.nl (8.12.8/8.12.8) with ESMTP id h9FK2Ono019348 for ; Wed, 15 Oct 2003 22:02:24 +0200 Message-ID: <00ed01c3934e$297bb090$c9e8d383@kanarip> From: "kanarip" To: References: <6.0.0.22.2.20031015123641.01d40e58@rockfour.com> <3F8D7A88.F9366DD3@dessent.net> <6.0.0.22.2.20031015191638.01cc7878@rockfour.com> Date: Wed, 15 Oct 2003 20:56:22 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Possible DDOS attack... ? X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Maybe some person(s) just try to synchronize his local version of your website, using dial up? Or maybe someone mirrors your site? Greets, kanarip ----- Original Message ----- From: "Gil Disatnik" To: Sent: Wednesday, October 15, 2003 7:22 PM Subject: Re: [users@httpd] Possible DDOS attack... ? > Thank you, > > Actually - I do see a legitimate access on one of the virtual hosts access > log files, however, I see only a single GET for a one of the php files on > the server and then the other gets for the objects referred to by the php > output. > Could it be that apache is spawning a child process for every GET directive > even if it's the same session? could it be the user's client has a problem > and uses different session numbers all the time? > > I will check out mod_dosevasive, thanks! > > At 06:49 PM 10/15/2003, Brian Dessent wrote: > >Gil Disatnik wrote: > > > > > As you can see, a single IP is connecting to 61.112.113.115 and a different > > > single IP is connecting to 142.61.13.11 > > > ps output shows that all servers were spawned in under a minute. > > > > > > Does that seem like an attack? should I start contacting the relevant ISPs? > > > (IP addresses are different from one "attack" to another, however most of > > > them belong to the same ISP). > > > (Ip addresses listed here are not the real ones) > > > >Presumably there are accesslog entries for all these connections as > >well? If there are actual legitimate requests associated with these > >then tt could be a broken spider/robot/web cache or something that's > >hammering the server trying to gulp down too much. Or is it someone > >just creating connections to take up resources and not actually do > >anything? > > > >In either case you may want to check out mod_dosevasive, which was > >created for this very situation (limiting frequent connects from the > >same remote host.) > > > >Brian > > > >--------------------------------------------------------------------- > >The official User-To-User support forum of the Apache HTTP Server Project. > >See for more info. > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > >For additional commands, e-mail: users-help@httpd.apache.org > > > Regards > > Gil Disatnik > UNIX system administrator. > > GibsonLP@EFnet > http://gil.disatnik.com > > _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ > apt-get install slackware > -------------------------------------------------------------------- > "Windows NT has detected mouse movement, you MUST restart > your computer before the new settings will take effect, [ OK ]" > -------------------------------------------------------------------- > Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating > system, written for a 4 bit processor by a 2 bit company which can > not stand 1 bit of competition. > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org