httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael D. Wood" <m...@itsecuritypros.org>
Subject Re: [users@httpd] Re: apache service interruption
Date Thu, 01 Aug 2013 09:14:14 GMT
Truthfully, I've always limited connections from the source IP via a 
firewall before the traffic is even passed to apache.

On 08/01/2013 04:39 AM, Grant wrote:
>> Two different things come to mind.  Kingcope found an Apache 
>> byterange
>> vulnerability and the PoC code he wrote for it exhausts the 
>> resources on a
>> server running Apache.  Only 1 instance of his perl script had to be 
>> ran.
>> LOIC is another that could possible DoS your server from one source. 
>> What
>> IP address was hitting your box when this happened?
>
> I'd rather not post the IP if that's OK.  I did notice my access_log
> entries were out of chronological order for the IP address in
> question.  Does that indicate a Slowloris attack?  Maybe it's just 
> the
> result of the server bogging down in response to so many requests in 
> a
> short amount of time.
>
> So I'm sure I understand, a regular browser or unsophisticated script
> shouldn't be able to interrupt apache service by simply requesting a
> large number of pages in a short amount of time?  If not, how does
> apache prevent that from happening?
>
> - Grant
>
>
>>>> You wouldn't keep a syn proxy rule enabled all the time; only 
>>>> under a DoS
>>>> attack.  You could also implement ModSecurity.
>>>
>>>
>>> ModSecurity looks good and I think it works with nginx as well as
>>> apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
>>> vulnerable to a single client requesting too many pages and
>>> interrupting the service?
>>>
>>> - Grant
>>>
>>>
>>>>>> Also, you should be able to limit simultaneous client 
>>>>>> connections with
>>>>>> your
>>>>>> firewall and pass the traffic in a syn proxy state. There are 
>>>>>> numerous
>>>>>> ways
>>>>>> to achieve this.
>>>>>
>>>>>
>>>>>
>>>>> Is that the best way to go besides OSSEC HIDS?  I can imagine 
>>>>> that
>>>>> sort of thing could cause problems.
>>>>>
>>>>> - Grant
>>>>>
>>>>>
>>>>>>> You can always compile from source ;)
>>>>>>> What version of Apache are you running?
>>>>>>>
>>>>>>> On 07/29/2013 02:59 AM, Grant wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Was it just an IP exhausting the apache service with
too many
>>>>>>>>> connections?  What do you see in the access logs?  I
use 
>>>>>>>>> OSSEC HIDS
>>>>>>>>> on
>>>>>>>>> my
>>>>>>>>> apache servers to mitigate this.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> In the access log I see the same IP made many requests during

>>>>>>>> the
>>>>>>>> service interruption and I think that exhausted the apache

>>>>>>>> service.
>>>>>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS.
 Is 
>>>>>>>> there
>>>>>>>> another way to prevent this sort of thing?
>>>>>>>>
>>>>>>>> - Grant
>>>>>>>>
>>>>>>>>
>>>>>>>>>>> My server has 4GB RAM and uses nginx as a reverse
proxy to 
>>>>>>>>>>> apache.
>>>>>>>>>>> A
>>>>>>>>>>> little while ago my website became inaccessible
for about 
>>>>>>>>>>> 30
>>>>>>>>>>> minutes.
>>>>>>>>>>> I checked my munin graphs and it looks like apache

>>>>>>>>>>> processes
>>>>>>>>>>> spiked
>>>>>>>>>>> to
>>>>>>>>>>> about 29 during this time which is many times
greater than 
>>>>>>>>>>> usual.
>>>>>>>>>>> I
>>>>>>>>>>> have MaxClients at 30 and the error log verifies
that 
>>>>>>>>>>> MaxClients
>>>>>>>>>>> was
>>>>>>>>>>> not reached.  The strange part is system disk
latency shows 
>>>>>>>>>>> a
>>>>>>>>>>> spike
>>>>>>>>>>> during the interruption which is only very slightly
greater 
>>>>>>>>>>> than
>>>>>>>>>>> other
>>>>>>>>>>> spikes which did not interrupt service.  System
CPU, 
>>>>>>>>>>> memory, and
>>>>>>>>>>> swap
>>>>>>>>>>> usage don't show anything interesting at all.
>>>>>>>>>>>
>>>>>>>>>>> Does this make sense to anyone?  Should I decrease

>>>>>>>>>>> MaxClients?
>>>>>>>>>>>
>>>>>>>>>>> - Grant
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I've looked over my access_log and I can see there
is a 
>>>>>>>>>> particular
>>>>>>>>>> IP
>>>>>>>>>> which was making many requests during the interruption.
 
>>>>>>>>>> Since
>>>>>>>>>> munin
>>>>>>>>>> does not show there was an excessive amount of memory
or CPU 
>>>>>>>>>> usage,
>>>>>>>>>> lowering MaxClients won't help?
>>>>>>>>>>
>>>>>>>>>> - Grant
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message