Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3F38310158 for ; Sun, 9 Feb 2014 04:23:02 +0000 (UTC) Received: (qmail 96248 invoked by uid 500); 9 Feb 2014 04:22:58 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 95670 invoked by uid 500); 9 Feb 2014 04:22:53 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 95661 invoked by uid 99); 9 Feb 2014 04:22:51 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 09 Feb 2014 04:22:51 +0000 X-ASF-Spam-Status: No, hits=2.1 required=5.0 tests=HK_RANDOM_ENVFROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of kumarkmmca@gmail.com designates 209.85.216.49 as permitted sender) Received: from [209.85.216.49] (HELO mail-qa0-f49.google.com) (209.85.216.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 09 Feb 2014 04:22:46 +0000 Received: by mail-qa0-f49.google.com with SMTP id w8so7564062qac.8 for ; Sat, 08 Feb 2014 20:22:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=UM6CpU/Gwgnw7F0yvZ1mnQj2KrgLmbF1S/Vl/+W+KpI=; b=wI9VonQB+9228ZJId3Erseas2ztFGcxeGjppqAnPiN+0KarbdrDvq9gWq4wj8OwDxJ 6m56Cfe7ZNk5eqiuQCz4rNDZq31HM1uy66xcT9k9j3ghO8Uu+1gVQl28TOBUU50wF2Bn t4vzit9MjfhORbEn1LLuL/ypGX68Vh6+mtHo+gE+lTtsafHxRhJFM02B2K+d99EbTE9m cJ5o4KMsNf5VZqiVoZ1avQjOlxm2uUA14r7h6Z1hLd4vZRLAHSjq4H7Sz8pTKopuPndE GkzRkiwhaa0s3T4pyoxrPG7OvF3JklhXa+PecZWQMcKdLDM/gipqslSP2KuroA4/f+z/ np3A== MIME-Version: 1.0 X-Received: by 10.224.34.136 with SMTP id l8mr35924803qad.101.1391919745294; Sat, 08 Feb 2014 20:22:25 -0800 (PST) Received: by 10.140.28.161 with HTTP; Sat, 8 Feb 2014 20:22:25 -0800 (PST) In-Reply-To: References: <52F6CEDF.5080907@verizon.net> Date: Sat, 8 Feb 2014 23:22:25 -0500 Message-ID: Subject: Re: sudden increase in tomcat sessions..? From: Kumar Muthuramalingam To: Tomcat Users List Content-Type: multipart/alternative; boundary=001a11c2c248f968b604f1f19199 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c2c248f968b604f1f19199 Content-Type: text/plain; charset=ISO-8859-1 Thanks for your reply. What happened actually was there was a sudden increase in invalid sessions as I said before and we manually deleted those sessions using the tomcat manager. And then it appeared to be normal. But then it occurred three times in last two weeks. It' s a production environment. My question is not how to stop some thing so that it could stop the ping requests but I would like to know what could be the cause for it and how can I find the cause? Please help me. Thanks, Kumar. On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty wrote: > DOS (Denial of Service) Attack > > one type is endless ping > > if someone is running a endless loop of ping attacks on your TC server > > you can disable ICMP on TC server > > https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/ > > > > DOC attack usually results in TROJ_MDROPPER.* on system > NAV and McAfee can detect these malware attachments on Word Docs > > > http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/ > > > HTH > Martin > > > > > > > Date: Sat, 8 Feb 2014 19:54:32 -0500 > > Subject: Re: sudden increase in tomcat sessions..? > > From: kumarkmmca@gmail.com > > To: users@tomcat.apache.org > > > > Hi David, > > Thanks for your reply. How can I verify that it is a DOC attack? which > > log i should refer.please guide me. > > > > Thanks, > > Kumar. > > > > > > On Sat, Feb 8, 2014 at 7:42 PM, David Kerber > wrote: > > > > > On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote: > > > > > >> Hi, > > >> I 'm using tomcat version 6 and 7. One day there was a sudden increase > > >> in > > >> number of sessions in both tomcats. And all the sessions had no > username, > > >> same lastaccessed time, same created time and the inactive time was > > >> 00:00:00. It is not happening always but it happens some times on some > > >> day. > > >> Can't predict. And We have set the idle timeout as -1 because we have > to. > > >> When I try to dig the log. It showed that the load balancer IP was > sending > > >> many ping requests to our application. Can anybody tell why this is > > >> happening and how can I find the cause? > > >> > > > > > > DOS attack? > > > > > > > > > > > >> Thanks, > > >> Kumar. > > >> > > >> > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > > > For additional commands, e-mail: users-help@tomcat.apache.org > > > > > > > > --001a11c2c248f968b604f1f19199--