Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (athena.apache.org: domain of dmikusa@gopivotal.com
 designates 209.85.216.181 as permitted sender)
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
Subject: Re: sudden increase in tomcat sessions..?
From: Daniel Mikusa <dmikusa@gopivotal.com>
In-Reply-To: 
 <CAE2_di3+dNHvJahz7aGW99SihZjsB6kpg-X2sj-B2DTGigTu=w@mail.gmail.com>
Date: Mon, 10 Feb 2014 07:08:08 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <21B40F0D-2701-4DBF-9F43-3ACD352E4E98@gopivotal.com>
References: 
 <CAAU8gB4zR43qTx+h+hE3_pgQsh0a0BY6iENntzT6F0qDTmiKKw@mail.gmail.com>
 <52F6CEDF.5080907@verizon.net>
 <CAAU8gB4W_+0_k8+CoVe_SrLYRD8PLC3y5N22KTk_Cg0-4w7w6w@mail.gmail.com>
 <BLU172-W603A430E731ACCE3A1914AE910@phx.gbl>
 <CAAU8gB60c1M+5Xs8AOLNcxuo=vqAzm7por79+RgfvG71rUrQ6w@mail.gmail.com>
 <CAE2_di3+dNHvJahz7aGW99SihZjsB6kpg-X2sj-B2DTGigTu=w@mail.gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>

On Feb 9, 2014, at 4:27 AM, Leon Rosenberg <rosenberg.leon@gmail.com> =
wrote:

> Hello,
>=20
> I think some things are mixed up here. Since you are behind a load
> balancer, its unlikely that you experience ping (icmp) DoS, at least =
that
> it goes through till your server.
> First, setup access logs in server.xml
>=20
> <!-- Access log processes all example.      Documentation at:
> /docs/config/valve.html      Note: The pattern used is equivalent to =
using
> pattern=3D"common" -->
>=20
> <Valve className=3D"org.apache.catalina.valves.AccessLogValve"
> directory=3D"logs"
>=20
>        prefix=3D"localhost_access_log." suffix=3D".txt"
>=20
>        pattern=3D"%h %{X-Forwarded-For}i %l %u %t &quot;%r&quot; %s =
%b" />
>=20
> Note: usually, if the load balancer is configured properly, tomcat =
will see
> the IP of the original request. If not, it will be send in a header =
field
> (in example X-Forwarded-For). If your load balancer doesn't send a =
header
> field - change its configuration to send one, you will need it anyway.

+1 Get your access logs working properly. =20

One other option to do this would be to use a RemoteIpValve.  This will =
take the X-Forwarded-* information from your proxy and override the =
corresponding request attributes.  It=92s a nice option because it fixes =
the request information for both your application and the access logs.

   =
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve

>=20
> Check that the page your loadbalancer uses to check whether tomcat =
behind
> is available doesn't create a new session (session=3Dfalse if its a =
jsp,
> don't use request.getSession() if its a servlet).

+1  I see this happen a lot. =20

Beyond your load balancer, another possibility is that web crawlers are =
hitting your application.  These bots often do not track session cookies =
and a single bot that crawls your site can create quite a few sessions.  =
Here=92s a link to a article Mark Thomas wrote that describes the =
problem further.

   =
http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve

You can usually tell if bots are the culprit by looking at the user =
agent reported in the requests.  Well behaved web crawlers will have a =
recognizable user agent. =20

One way you can combat this is with Tomcat=92s =
CrawlerSessionManagerValve.  This will prevent certain user agent=92s =
from creating sessions.  Here=92s a link to the docs.

   =
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Crawler_Session_=
Manager_Valve

Dan

>=20
> If that doesn't help, download and install moskito following this =
guide:
> =
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-=
1/
>=20
> This will allow you to make charts of your sessions, you will see if =
there
> are any patterns in session increase/decrease, maybe also together =
with
> other values like users or requests.
>=20
> If you have multiple tomcats you can setup moskito-control and put all =
the
> sessions from all tomcats into one chart:
> =
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-=
6-moskito-control/
>=20
> good luck.
>=20
> regards
>=20
> Leon.
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam
> <kumarkmmca@gmail.com>wrote:
>=20
>> Thanks for your reply. What happened actually was there was a sudden
>> increase in invalid sessions as I said before and we manually deleted =
those
>> sessions using the tomcat manager. And then it appeared to be normal. =
But
>> then it occurred three times in last two weeks. It' s a production
>> environment.
>> My question is not how to stop some thing so that it could stop the =
ping
>> requests but I would like to know what could be the cause for it and =
how
>> can I find the cause? Please help me.
>>=20
>> Thanks,
>> Kumar.
>>=20
>>=20
>> On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty <mgainty@hotmail.com> =
wrote:
>>=20
>>> DOS (Denial of Service) Attack
>>>=20
>>> one type is endless ping
>>>=20
>>> if someone is running a endless loop of ping attacks on your TC =
server
>>>=20
>>> you can disable ICMP on TC server
>>>=20
>>>=20
>> =
https://www.serverintellect.com/support/windowsserversecurity/disable-icmp=
-requests/
>>>=20
>>>=20
>>>=20
>>> DOC attack usually results in TROJ_MDROPPER.* on system
>>> NAV and McAfee can detect these malware attachments on Word Docs
>>>=20
>>>=20
>>>=20
>> =
http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-=
files-in-targeted-attack/
>>>=20
>>>=20
>>> HTH
>>> Martin
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>> Date: Sat, 8 Feb 2014 19:54:32 -0500
>>>> Subject: Re: sudden increase in tomcat sessions..?
>>>> From: kumarkmmca@gmail.com
>>>> To: users@tomcat.apache.org
>>>>=20
>>>> Hi David,
>>>> Thanks for your reply. How can I verify that it is a DOC attack? =
which
>>>> log i should refer.please guide me.
>>>>=20
>>>> Thanks,
>>>> Kumar.
>>>>=20
>>>>=20
>>>> On Sat, Feb 8, 2014 at 7:42 PM, David Kerber <dckerber@verizon.net>
>>> wrote:
>>>>=20
>>>>> On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote:
>>>>>=20
>>>>>> Hi,
>>>>>> I 'm using tomcat version 6 and 7. One day there was a sudden
>> increase
>>>>>> in
>>>>>> number of sessions in both tomcats. And all the sessions had no
>>> username,
>>>>>> same lastaccessed time, same created time and the inactive time =
was
>>>>>> 00:00:00. It is not happening always but it happens some times on
>> some
>>>>>> day.
>>>>>> Can't predict. And We have set the idle timeout as -1 because we
>> have
>>> to.
>>>>>> When I try to dig the log. It showed that the load balancer IP =
was
>>> sending
>>>>>> many ping requests to our application. Can anybody tell why this =
is
>>>>>> happening and how can I find the cause?
>>>>>>=20
>>>>>=20
>>>>> DOS attack?
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>> Thanks,
>>>>>> Kumar.
>>>>>>=20
>>>>>>=20
>>>>>=20
>>>>> =
---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>=20
>>>>>=20
>>>=20
>>>=20
>>=20


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org