tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@gopivotal.com>
Subject Re: sudden increase in tomcat sessions..?
Date Mon, 10 Feb 2014 12:08:08 GMT
On Feb 9, 2014, at 4:27 AM, Leon Rosenberg <rosenberg.leon@gmail.com> wrote:

> Hello,
> 
> I think some things are mixed up here. Since you are behind a load
> balancer, its unlikely that you experience ping (icmp) DoS, at least that
> it goes through till your server.
> First, setup access logs in server.xml
> 
> <!-- Access log processes all example.      Documentation at:
> /docs/config/valve.html      Note: The pattern used is equivalent to using
> pattern="common" -->
> 
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
> 
>        prefix="localhost_access_log." suffix=".txt"
> 
>        pattern="%h %{X-Forwarded-For}i %l %u %t &quot;%r&quot; %s %b" />
> 
> Note: usually, if the load balancer is configured properly, tomcat will see
> the IP of the original request. If not, it will be send in a header field
> (in example X-Forwarded-For). If your load balancer doesn't send a header
> field - change its configuration to send one, you will need it anyway.

+1 Get your access logs working properly.  

One other option to do this would be to use a RemoteIpValve.  This will take the X-Forwarded-*
information from your proxy and override the corresponding request attributes.  It’s a nice
option because it fixes the request information for both your application and the access logs.

   http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve

> 
> Check that the page your loadbalancer uses to check whether tomcat behind
> is available doesn't create a new session (session=false if its a jsp,
> don't use request.getSession() if its a servlet).

+1  I see this happen a lot.  

Beyond your load balancer, another possibility is that web crawlers are hitting your application.
 These bots often do not track session cookies and a single bot that crawls your site can
create quite a few sessions.  Here’s a link to a article Mark Thomas wrote that describes
the problem further.

   http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve

You can usually tell if bots are the culprit by looking at the user agent reported in the
requests.  Well behaved web crawlers will have a recognizable user agent.  

One way you can combat this is with Tomcat’s CrawlerSessionManagerValve.  This will prevent
certain user agent’s from creating sessions.  Here’s a link to the docs.

   http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Crawler_Session_Manager_Valve

Dan

> 
> If that doesn't help, download and install moskito following this guide:
> http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/
> 
> This will allow you to make charts of your sessions, you will see if there
> are any patterns in session increase/decrease, maybe also together with
> other values like users or requests.
> 
> If you have multiple tomcats you can setup moskito-control and put all the
> sessions from all tomcats into one chart:
> http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/
> 
> good luck.
> 
> regards
> 
> Leon.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam
> <kumarkmmca@gmail.com>wrote:
> 
>> Thanks for your reply. What happened actually was there was a sudden
>> increase in invalid sessions as I said before and we manually deleted those
>> sessions using the tomcat manager. And then it appeared to be normal. But
>> then it occurred three times in last two weeks. It' s a production
>> environment.
>> My question is not how to stop some thing so that it could stop the ping
>> requests but I would like to know what could be the cause for it and how
>> can I find the cause? Please help me.
>> 
>> Thanks,
>> Kumar.
>> 
>> 
>> On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty <mgainty@hotmail.com> wrote:
>> 
>>> DOS (Denial of Service) Attack
>>> 
>>> one type is endless ping
>>> 
>>> if someone is running a endless loop of ping attacks on your TC server
>>> 
>>> you can disable ICMP on TC server
>>> 
>>> 
>> https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/
>>> 
>>> 
>>> 
>>> DOC attack usually results in TROJ_MDROPPER.* on system
>>> NAV and McAfee can detect these malware attachments on Word Docs
>>> 
>>> 
>>> 
>> http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/
>>> 
>>> 
>>> HTH
>>> Martin
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> Date: Sat, 8 Feb 2014 19:54:32 -0500
>>>> Subject: Re: sudden increase in tomcat sessions..?
>>>> From: kumarkmmca@gmail.com
>>>> To: users@tomcat.apache.org
>>>> 
>>>> Hi David,
>>>> Thanks for your reply. How can I verify that it is a DOC attack? which
>>>> log i should refer.please guide me.
>>>> 
>>>> Thanks,
>>>> Kumar.
>>>> 
>>>> 
>>>> On Sat, Feb 8, 2014 at 7:42 PM, David Kerber <dckerber@verizon.net>
>>> wrote:
>>>> 
>>>>> On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote:
>>>>> 
>>>>>> Hi,
>>>>>> I 'm using tomcat version 6 and 7. One day there was a sudden
>> increase
>>>>>> in
>>>>>> number of sessions in both tomcats. And all the sessions had no
>>> username,
>>>>>> same lastaccessed time, same created time and the inactive time was
>>>>>> 00:00:00. It is not happening always but it happens some times on
>> some
>>>>>> day.
>>>>>> Can't predict. And We have set the idle timeout as -1 because we
>> have
>>> to.
>>>>>> When I try to dig the log. It showed that the load balancer IP was
>>> sending
>>>>>> many ping requests to our application. Can anybody tell why this
is
>>>>>> happening and how can I find the cause?
>>>>>> 
>>>>> 
>>>>> DOS attack?
>>>>> 
>>>>> 
>>>>> 
>>>>>> Thanks,
>>>>>> Kumar.
>>>>>> 
>>>>>> 
>>>>> 
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>> 
>>>>> 
>>> 
>>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message