httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael D. Wood" <m...@itsecuritypros.org>
Subject Re: [users@httpd] Re: apache service interruption
Date Tue, 30 Jul 2013 06:44:34 GMT
Two different things come to mind.  Kingcope found an Apache byterange 
vulnerability and the PoC code he wrote for it exhausts the resources on 
a server running Apache.  Only 1 instance of his perl script had to be 
ran.  LOIC is another that could possible DoS your server from one 
source.  What IP address was hitting your box when this happened?

On 07/30/2013 02:25 AM, Grant wrote:
>> You wouldn't keep a syn proxy rule enabled all the time; only under 
>> a DoS
>> attack.  You could also implement ModSecurity.
>
> ModSecurity looks good and I think it works with nginx as well as
> apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
> vulnerable to a single client requesting too many pages and
> interrupting the service?
>
> - Grant
>
>
>>>> Also, you should be able to limit simultaneous client connections 
>>>> with
>>>> your
>>>> firewall and pass the traffic in a syn proxy state. There are 
>>>> numerous
>>>> ways
>>>> to achieve this.
>>>
>>>
>>> Is that the best way to go besides OSSEC HIDS?  I can imagine that
>>> sort of thing could cause problems.
>>>
>>> - Grant
>>>
>>>
>>>>> You can always compile from source ;)
>>>>> What version of Apache are you running?
>>>>>
>>>>> On 07/29/2013 02:59 AM, Grant wrote:
>>>>>>>
>>>>>>>
>>>>>>> Was it just an IP exhausting the apache service with too many
>>>>>>> connections?  What do you see in the access logs?  I use OSSEC

>>>>>>> HIDS on
>>>>>>> my
>>>>>>> apache servers to mitigate this.
>>>>>>
>>>>>>
>>>>>>
>>>>>> In the access log I see the same IP made many requests during 
>>>>>> the
>>>>>> service interruption and I think that exhausted the apache 
>>>>>> service.
>>>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is 
>>>>>> there
>>>>>> another way to prevent this sort of thing?
>>>>>>
>>>>>> - Grant
>>>>>>
>>>>>>
>>>>>>>>> My server has 4GB RAM and uses nginx as a reverse proxy
to 
>>>>>>>>> apache. A
>>>>>>>>> little while ago my website became inaccessible for about
30
>>>>>>>>> minutes.
>>>>>>>>> I checked my munin graphs and it looks like apache processes

>>>>>>>>> spiked
>>>>>>>>> to
>>>>>>>>> about 29 during this time which is many times greater
than 
>>>>>>>>> usual. I
>>>>>>>>> have MaxClients at 30 and the error log verifies that

>>>>>>>>> MaxClients was
>>>>>>>>> not reached.  The strange part is system disk latency
shows a 
>>>>>>>>> spike
>>>>>>>>> during the interruption which is only very slightly greater

>>>>>>>>> than
>>>>>>>>> other
>>>>>>>>> spikes which did not interrupt service.  System CPU,
memory, 
>>>>>>>>> and
>>>>>>>>> swap
>>>>>>>>> usage don't show anything interesting at all.
>>>>>>>>>
>>>>>>>>> Does this make sense to anyone?  Should I decrease 
>>>>>>>>> MaxClients?
>>>>>>>>>
>>>>>>>>> - Grant
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I've looked over my access_log and I can see there is a 
>>>>>>>> particular IP
>>>>>>>> which was making many requests during the interruption. 
Since 
>>>>>>>> munin
>>>>>>>> does not show there was an excessive amount of memory or
CPU 
>>>>>>>> usage,
>>>>>>>> lowering MaxClients won't help?
>>>>>>>>
>>>>>>>> - Grant
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message