httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Mayer <mymailli...@gmx.at>
Subject Re: [users@httpd] apache attack
Date Tue, 29 Mar 2005 12:50:19 GMT
Not likely.  We've seen this type of thing on our servers when mysql gets too 
busy or doesn't have enough resources to do its job.  Apache will keep the 
connections open until it's completed the request.  In apache2, which I 
assume you're using, the threads (again an assumption based on the guess that 
you're using php) have to wait for an answer from the mysql server, so they 
stay there until they can complete the request.  Apache writes to the logs 
when a request is complete, not before, which may be why you don't see the 
requests.  I don't know if you can change this behaviour.  Look in the error 
log file, maybe there's something there.  Also look at your error log level 
config for apache.

The exact cause is something you will have to look at.  If mysql falls into 
swap and is running slow, you need to either work on its configuration or do 
something with the hardware.  It may also be useful to look at the logs in 
mysql, assuming you have logging turned on.  Also, turn on the slow-request 
log feature in mysql to see requests that take too long (read the manual for 
info).

In your next posts, please include more info about what versions of what 
software you're using.

Markus.

On Tuesday 29 March 2005 14:18, seb hould wrote:
> I believe I was recently attacked but still there seems to be
> something missing.  Yesterday my web server went pretty slow at a
> certain point.   When I checked my Linux process list there we're
> roughly 10 times as much processes as usual (maxed from the apache
> configs) and Apache was killing the oldest processes.  This is not
> normal traffic, and I for sure thought I was either attacked or
> someone made a very bad script.  Strangely enough, there are
> absolutely no sign of additional requests in the apache logfile.  By
> looking at the file there are no more traffic at the time of the
> incident than in normal circumstances.  There ain't no sign of a bad
> script (same source IP, same URI).  So I'm supposing it was a DOS
> attack but can someone explain why it wouldn't show up in the logs.
> Is it that we recieved so many requests all at the same time and
> Apache wasn't able to process them ?  The load average on my server
> went over 33 and the MySQL server was also quite busy (it is located
> on another server).
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message