httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Grant <>
Subject Re: [users@httpd] Re: apache service interruption
Date Thu, 01 Aug 2013 08:39:45 GMT
> Two different things come to mind.  Kingcope found an Apache byterange
> vulnerability and the PoC code he wrote for it exhausts the resources on a
> server running Apache.  Only 1 instance of his perl script had to be ran.
> LOIC is another that could possible DoS your server from one source.  What
> IP address was hitting your box when this happened?

I'd rather not post the IP if that's OK.  I did notice my access_log
entries were out of chronological order for the IP address in
question.  Does that indicate a Slowloris attack?  Maybe it's just the
result of the server bogging down in response to so many requests in a
short amount of time.

So I'm sure I understand, a regular browser or unsophisticated script
shouldn't be able to interrupt apache service by simply requesting a
large number of pages in a short amount of time?  If not, how does
apache prevent that from happening?

- Grant

>>> You wouldn't keep a syn proxy rule enabled all the time; only under a DoS
>>> attack.  You could also implement ModSecurity.
>> ModSecurity looks good and I think it works with nginx as well as
>> apache.  Is everyone who isn't running OSSEC HIDS or ModSecurity
>> vulnerable to a single client requesting too many pages and
>> interrupting the service?
>> - Grant
>>>>> Also, you should be able to limit simultaneous client connections with
>>>>> your
>>>>> firewall and pass the traffic in a syn proxy state. There are numerous
>>>>> ways
>>>>> to achieve this.
>>>> Is that the best way to go besides OSSEC HIDS?  I can imagine that
>>>> sort of thing could cause problems.
>>>> - Grant
>>>>>> You can always compile from source ;)
>>>>>> What version of Apache are you running?
>>>>>> On 07/29/2013 02:59 AM, Grant wrote:
>>>>>>>> Was it just an IP exhausting the apache service with too
>>>>>>>> connections?  What do you see in the access logs?  I use
>>>>>>>> on
>>>>>>>> my
>>>>>>>> apache servers to mitigate this.
>>>>>>> In the access log I see the same IP made many requests during
>>>>>>> service interruption and I think that exhausted the apache service.
>>>>>>> It looks like there isn't a Gentoo ebuild for OSSEC HIDS.  Is
>>>>>>> another way to prevent this sort of thing?
>>>>>>> - Grant
>>>>>>>>>> My server has 4GB RAM and uses nginx as a reverse
proxy to apache.
>>>>>>>>>> A
>>>>>>>>>> little while ago my website became inaccessible for
about 30
>>>>>>>>>> minutes.
>>>>>>>>>> I checked my munin graphs and it looks like apache
>>>>>>>>>> spiked
>>>>>>>>>> to
>>>>>>>>>> about 29 during this time which is many times greater
than usual.
>>>>>>>>>> I
>>>>>>>>>> have MaxClients at 30 and the error log verifies
that MaxClients
>>>>>>>>>> was
>>>>>>>>>> not reached.  The strange part is system disk latency
shows a
>>>>>>>>>> spike
>>>>>>>>>> during the interruption which is only very slightly
greater than
>>>>>>>>>> other
>>>>>>>>>> spikes which did not interrupt service.  System CPU,
memory, and
>>>>>>>>>> swap
>>>>>>>>>> usage don't show anything interesting at all.
>>>>>>>>>> Does this make sense to anyone?  Should I decrease
>>>>>>>>>> - Grant
>>>>>>>>> I've looked over my access_log and I can see there is
a particular
>>>>>>>>> IP
>>>>>>>>> which was making many requests during the interruption.
>>>>>>>>> munin
>>>>>>>>> does not show there was an excessive amount of memory
or CPU usage,
>>>>>>>>> lowering MaxClients won't help?
>>>>>>>>> - Grant

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message