httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Unruh <un...@physics.ubc.ca>
Subject [users@httpd] Denial of Service due to multiplication of httpd running
Date Tue, 22 May 2012 17:02:03 GMT

Madriva 2010.2 running httpd apache 2.2.22

I am having trouble with httpd requests staying active and multiplying. 
I just came off having 160 versions of httpd running and completely slowing
down the system. I upgraded to 2.2.22 and it still happens (it went from the
normal 10 servers running to 15 in about a 1/2 hour.) According to the start
times, these seem to be associated with totally bizarre requests from google
(forged addresses?)

Eg, here is one entry from the ps auxww  list

apache   18137  0.0  0.5  26844  5744 ?        S    09:34   0:00 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf
-DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAVE_AUTH_BASIC
-DHAVE_AUTH_DIGEST -DHAVE_AUTHN_ALIAS -DHAVE_AUTHN_ANON -DHAVE_AUTHN_DBM -DHAVE_AUTHN_DEFAULT
-DHAVE_AUTHN_FILE -DHAVE_AUTHZ_DBM -DHAVE_AUTHZ_DEFAULT -DHAVE_AUTHZ_GROUPFILE -DHAVE_AUTHZ_HOST
-DHAVE_AUTHZ_OWNER -DHAVE_AUTHZ_USER -DHAVE_AUTOINDEX -DHAVE_BUCKETEER -DHAVE_CASE_FILTER
-DHAVE_CASE_FILTER_IN -DHAVE_CERN_META -DHAVE_CGI -DHAVE_CGID -DHAVE_CHARSET_LITE -DHAVE_DIR
-DHAVE_DUMPIO -DHAVE_ECHO -DHAVE_ENV -DHAVE_EXAMPLE -DHAVE_EXPIRES -DHAVE_EXT_FILTER -DHAVE_FILTER
-DHAVE_HEADERS -DHAVE_IDENT -DHAVE_IMAGEMAP -DHAVE_INCLUDE -DHAVE_INFO -DHAVE_LOG_CONFIG -DHAVE_LOG_FORENSIC
-DHAVE_LOGIO -DHAVE_MIME -DHAVE_MIME_MAGIC -DHAVE_NEGOTIATION -DHAVE_OPTIONAL_FN_EXPORT -DHAVE_OPTIONAL_FN_IMPORT
-DHAVE_OPTIONAL_HOOK_EXPORT -DHAVE_OPTIONAL_HOOK_IMPORT -DHAVE_REWRITE -DHAVE_SETENVIF -DHAVE_SPELING
-DHAVE_SSL -DHAVE_STATUS -DHAVE_SUBSTITUTE -DHAVE_SUEXEC -DHAVE_UNIQUE_ID -DHAVE_USERTRACK
-DHAVE_VERSION -DHAVE_VHOST_ALIAS

At that time in the 
access_log I have a whole bunch of entries like
::1 - - [22/May/2012:09:34:22 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.22 (Mandriva
Linux/PREFORK-0.1mdv2010.2) (internal dummy connection)"


In the past I have also had connections like 
66.249.68.198 - - [22/May/2012:09:35:25 -0700] "GET /aggregator/www.umsl.edu/~keelr/010/www.twitter.com/www.iaea.org/Publications/Documents/Board/2008/www.environment-agency.gov.uk/homeandleisure/floods/node/www.guardian.co.uk/business/2012/feb/21/node/node/22?page=11
HTTP/1.1" 200 58609 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

associated with the times of the startup of those persistant connections. This
looks to be a totally bizzare GET. since that address certainly has nothing to
do with my site.

In the error log around that time I get nothing that looks suspicious

[Tue May 22 09:31:54 2012] [error] [client 119.63.196.27] File does not exist: /usr/local/http/htdocs/robots.txt
[Tue May 22 09:32:25 2012] [error] [client 86.68.18.171] File does not exist: /usr/local/http/htdocs/favicon.ico
[Tue May 22 09:36:47 2012] [error] [client 89.144.206.157] File does not exist: /usr/local/http/htdocs/thirdman/reichs/blank.gif,
referer: http://axion.physics.ubc.ca/thirdman/reichs/reichsbruecke.htm

-- 
William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@physics.ubc.ca
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

Mime
View raw message