httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Unruh <un...@physics.ubc.ca>
Subject Re: [users@httpd] Denial of Service due to multiplication of httpd running
Date Thu, 24 May 2012 02:47:37 GMT
On Tue, 22 May 2012, Bill Unruh wrote:

>
> Madriva 2010.2 running httpd apache 2.2.22
>
> I am having trouble with httpd requests staying active and multiplying. I 
> just came off having 160 versions of httpd running and completely slowing
> down the system. I upgraded to 2.2.22 and it still happens (it went from the
> normal 10 servers running to 15 in about a 1/2 hour.) According to the start
> times, these seem to be associated with totally bizarre requests from google
> (forged addresses?)
>
> Eg, here is one entry from the ps auxww  list
>
> apache   18137  0.0  0.5  26844  5744 ?        S    09:34   0:00 
> /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL 
> -DHAVE_PHP5 -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAVE_AUTH_BASIC 
> -DHAVE_AUTH_DIGEST -DHAVE_AUTHN_ALIAS -DHAVE_AUTHN_ANON -DHAVE_AUTHN_DBM 
> -DHAVE_AUTHN_DEFAULT -DHAVE_AUTHN_FILE -DHAVE_AUTHZ_DBM -DHAVE_AUTHZ_DEFAULT 
> -DHAVE_AUTHZ_GROUPFILE -DHAVE_AUTHZ_HOST -DHAVE_AUTHZ_OWNER -DHAVE_AUTHZ_USER 
> -DHAVE_AUTOINDEX -DHAVE_BUCKETEER -DHAVE_CASE_FILTER -DHAVE_CASE_FILTER_IN 
> -DHAVE_CERN_META -DHAVE_CGI -DHAVE_CGID -DHAVE_CHARSET_LITE -DHAVE_DIR 
> -DHAVE_DUMPIO -DHAVE_ECHO -DHAVE_ENV -DHAVE_EXAMPLE -DHAVE_EXPIRES 
> -DHAVE_EXT_FILTER -DHAVE_FILTER -DHAVE_HEADERS -DHAVE_IDENT -DHAVE_IMAGEMAP 
> -DHAVE_INCLUDE -DHAVE_INFO -DHAVE_LOG_CONFIG -DHAVE_LOG_FORENSIC -DHAVE_LOGIO 
> -DHAVE_MIME -DHAVE_MIME_MAGIC -DHAVE_NEGOTIATION -DHAVE_OPTIONAL_FN_EXPORT 
> -DHAVE_OPTIONAL_FN_IMPORT -DHAVE_OPTIONAL_HOOK_EXPORT 
> -DHAVE_OPTIONAL_HOOK_IMPORT -DHAVE_REWRITE -DHAVE_SETENVIF -DHAVE_SPELING 
> -DHAVE_SSL -DHAVE_STATUS -DHAVE_SUBSTITUTE -DHAVE_SUEXEC -DHAVE_UNIQUE_ID 
> -DHAVE_USERTRACK -DHAVE_VERSION -DHAVE_VHOST_ALIAS
>
> At that time in the access_log I have a whole bunch of entries like
> : : 1 - - [22/May/2012:09:34:22 -0700] "OPTIONS * HTTP/1.0" 200 - "-" 
> : : "Apache/2.2.22 (Mandriva Linux/PREFORK-0.1mdv2010.2) (internal dummy 
> : : connection)"
>
>
> In the past I have also had connections like 66.249.68.198 - - 
> [22/May/2012:09:35:25 -0700] "GET 
> /aggregator/www.umsl.edu/~keelr/010/www.twitter.com/www.iaea.org/Publications/Documents/Board/2008/www.environment-agency.gov.uk/homeandleisure/floods/node/www.guardian.co.uk/business/2012/feb/21/node/node/22?page=11

> HTTP/1.1" 200 58609 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
> +http://www.google.com/bot.html)"
>
> associated with the times of the startup of those persistant connections. 
> This
> looks to be a totally bizzare GET. since that address certainly has nothing 
> to
> do with my site.
>
> In the error log around that time I get nothing that looks suspicious
>
> [Tue May 22 09:31:54 2012] [error] [client 119.63.196.27] File does not 
> exist: /usr/local/http/htdocs/robots.txt
> [Tue May 22 09:32:25 2012] [error] [client 86.68.18.171] File does not exist: 
> /usr/local/http/htdocs/favicon.ico
> [Tue May 22 09:36:47 2012] [error] [client 89.144.206.157] File does not 
> exist: /usr/local/http/htdocs/thirdman/reichs/blank.gif, referer: 
> http://axion.physics.ubc.ca/thirdman/reichs/reichsbruecke.htm
>


OK, I have closed down that virtual host I had set up ( which was the source
of those aggregator web page requests), but I am still getting the same
problems. It starts out with 9 copies of httpd daemon running. After a few
hours it is up to 15 or 20. I have no idea what is causing this. 
I have now put in a cron job which checks every 10 min and if it finds more
than 24 instances of httpd running, it restarts httpd (service httpd restart)
But this is clearly a horrible kludge. 
Is there any way I can figure out what is triggering these versions of httpd
to be piling up?




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message