Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 8487 invoked from network); 30 Aug 2004 02:52:23 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 30 Aug 2004 02:52:23 -0000 Received: (qmail 62192 invoked by uid 500); 30 Aug 2004 02:52:08 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 61848 invoked by uid 500); 30 Aug 2004 02:52:06 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 61823 invoked by uid 99); 30 Aug 2004 02:52:05 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [216.126.89.103] (HELO mail.msyte.com) (216.126.89.103) by apache.org (qpsmtpd/0.27.1) with SMTP; Sun, 29 Aug 2004 19:52:05 -0700 Received: (qmail 2802 invoked by uid 1017); 30 Aug 2004 03:41:51 -0000 Received: from admin@serverforge.net by azona by uid 1013 with qmail-scanner-1.21st (clamdscan: 0.70-rc. spamassassin: 2.63. Clear:RC:0(82.32.46.121):SA:0(2.6/5.0):. Processed in 2.58112 secs); 30 Aug 2004 03:41:51 -0000 X-Spam-Status: No, hits=2.6 required=5.0 X-Spam-Level: ++ Received: from 82-32-46-121.cable.ubr06.azte.blueyonder.co.uk (HELO ?127.0.0.1?) (admin@serverforge.net@82.32.46.121) by mail.msyte.com with SMTP; 30 Aug 2004 03:41:48 -0000 Message-ID: <4132964F.8040604@serverforge.net> Date: Mon, 30 Aug 2004 03:51:59 +0100 From: ServerForge Administration Reply-To: admin@serverforge.net Organization: ServerForge User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: users@httpd.apache.org References: <41329151.20500@serverforge.net> <41329471.1010907@ieee.org> In-Reply-To: <41329471.1010907@ieee.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked Subject: Re: [users@httpd] DoS against apache X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N ok, I am reeeeeally feeling foolish right about now. I have been working on this problem for a few days now, and holding off on sending a message to a board like this because I also personally hate when people tell me that something is 'broken' and I should 'fix it' without researching the problem for themselves. Well lo and behold almost as soon as I hit send on the message I had a flash of inspiration.... the server is configured to rate limit syns.... so all that was happening was my firewalling was not allowing more than 10 syns per second, meaning a large number of connections were dropped. I turned off the syn rate limiting, and it sprang back to life suddenly. I'll go and beat myself up, you don't have to do it for me. sorry for wasting your time. Chris Zakelj wrote: > I can speculate that yet another w32 worm is in the process of > breaking, this one attempting to connect to an IRC server that you're > not running (NICK is an IRC command to set one's nickname). My guess > is either the intended server used to have your IP address, or some > kiddie made a goof. As for why your system is being floored by it, > you haven't told us what kind of hardware you've got, just your OS and > Apache versions. > > ServerForge Administration wrote: > >> 217.44.74.225 - - [29/Aug/2004:22:21:00 -0400] "NICK D3V1L-622283" >> 400 - "-" "-" >> >> My question really is does anyone know what this attack is, and does >> anyone know a better way to filter it... as 1kb a second of data >> should not be enough to floor apache. > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org