DOS Attack Over Apache, Full Of READING Connections
Feb 5, 2007
As you can see my apache is full of Reading connections..... they are filling up my server dening legitimate users to browse trought the websites hosted there... I think this is what is happening to me:
http://mail-archives.apache.org/mod_...l.gmail.com%3E
Im using apache 1.3.3.7 on RHES 3 with latest patches and kernel.
I am running apache 2.0 on CentOS 4.4 with PHP5 and mysql 5. I am wondering why the following is happening with apache:
if I goto to [url]
This does not work, it times out. But if I goto:
[url]
With the trailing slash it works. That is annoying, anyway to take care of that so it works with or without the trailing slash? Below is my httpd.conf folder and virtual host settings:
<Directory "/var/www/html/"> Options ExecCGI FollowSymLinks Includes IncludesNOEXEC SymLinksIfOwnerMatch
AllowOverride none </Directory> </VirtualHost>
# # Each directory to which Apache has access can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # Note that from this point forward you must specifically allow # particular features to be enabled - so if something's not working as # you might expect, make sure that you have specifically enabled it # below. #
<Directory "/"> Options FollowSymLinks
AllowOverride None </Directory>
<Directory "/var/www/html"> Options Indexes Includes FollowSymLinks
We are currently using Apache 2.2.10 as the reverse proxy for the SAP portal server 7.3.1. The SAP applications are built based on webdynpro abap technology.2 of the apps are getting intermittent spinning circles. The Apache server will ultimately timeout and give the "bad request" and HTTP 400. We were never able to reproduce the problem except we do see users are running into them. Obviously, the problems occur very randomly, but often enough to generate a lot of support tickets. No error was generated in the sap system log.
Here is what I see from the apache access log and error log:
[31/Jul/2014:23:50:26 -0400] TLSv1 AES128-SHA "POST /sap/bc/webdynpro/sap/ZR_SSEPP_OPERATIONAL_SCHEDULE;sap-ext-sid=VcFRQjFOvu8TJYp9gDoeAA--4x1GQAg0MPPjCUEQif5iWQ--?sap-contextid=SID%3aANON%3asapprd_PR3_03%3aezUnW-FXtaYVyXREaAD7rxW0k8o5pk_n9RfjPfcB-NEW HTTP/1.1" 400 3004 "https://xxxxx/sap/bc/webdynpro/sap/ZR_SSEPP_OPERATIONAL_SCHEDULE;sap-ext-sid=VcFRQjFOvu8TJYp9gDoeAA--4x1GQAg0MPPjCUEQif5iWQ--" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)" 706345611
[Fri Aug 01 14:19:07 2014] [error] [client 10.4.53.198] (70014)End of file found: proxy: error reading status line from remote server xxxxxx, referer: https://xxxxx/sap/bc/webdynpro/sap/ZR_SSEPP_OPERATIONAL_SCHEDULE;sap-ext-sid=RaH2yjQlV6o7wVaj6wv6zA--LXTMFzjjKvcuwT*DXWoBmA--
I found bug 37770 and went to see the apache admin. But he thinks that the parameter(proxy-initial-not-pooled=1) that fixes the bug only applies to mod_proxy_http. However, we are using mod_proxy.
We have been using Apache 2.2.x with reverse proxy modules for our clients to access their OWA servers for over a year. I want to get us to Apache 2.4.x so I setup a test box with latest 2.4 on it. I fixed the config file issues since 2.4 has changes in it. OWA proxy is working on my test server with Apache 2.4. But with 2.4 I do have an issue I cannot figure out. Note that this does NOT occur with Apache 2.2. I get the following errors when using ActiveSync through reverse proxy:
[Thu Oct 17 12:19:11.670665 2013] [proxy_http:error] [pid 748:tid 8440] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : [client x.x.x.x:20311] AH01102: error reading status line from remote server mail.nameredacted.net:443 [Thu Oct 17 12:19:11.670665 2013] [proxy:error] [pid 748:tid 8440] [client x.x.x.x:20311] AH00898: Error reading from remote server returned by /Microsoft-Server-ActiveSync
So somehow with Apache 2.4 there is some sort of timeout that was not there with 2.2.
Just logged in my cPanel, and Apache Server Status shows
Parent Server Generation: 7 Server uptime: 2 hours 52 minutes 5 seconds Total accesses: 701666 - Total Traffic: 63.7 GB CPU Usage: u1610.22 s255.4 cu0 cs0 - 18.1% CPU load 68 requests/sec - 6.3 MB/second - 95.2 kB/request 400 requests currently being processed, 0 idle workers
I told customer service and said my website (a big forum) have 4000 people now, I felt very slow, could the slowness caused by this max apache connection setting?
I got reply: "400 seems to be as high as Apache can go. Your httpd.conf settings currently show 500 max connections enabled. If Apache is stopping at 400 then this is it's hard limit for maximum connections. Also If it was able to go even higher you would eventually run into memory issues on the server that would cause the server to crash."
Can anyone tells me if "400 requests currently being processed, 0 idle workers " is a problem or could it be the cause of the slowness. I imagin if more people request connection, and apache can't deal with that much, it has to let those request wait in the queue, therefore caused slowness or time-out.
The seem server could deal with 8000 people online before, no any problem at all and speed was quite fast. I don't know what i should do now.
I currently have a dedicated server with the following specs:
Celeron 2.6ghz 2gb ram 100mbit connection
the cpu load is always under 0.7, and I always have at least 400mb of free ram.
The site takes about 5-10 seconds to load a test page with just a single word on it. When I type netstat -n | grep :80 | wc -l I get around 1100-1200 connections. I get about 130k page views per day.
My site is about 95% static html, it has about 150 images per page. How can I speed up my site?
Here are my apache httpd.conf settings: Timeout - 100 KeepAlive - on KeepAliveTimeout - 12 StartServers - 48 MinSpareServers - 32 MaxSpareServers - 64 MaxClients - 1500 MaxRequestsPerChild - 1000000
when i check apache status, i see one domain send many request to server, for example: domain.com 10.20.30.40 domain.com 10.20.30.40 domain.com 10.20.30.40 domain.com 10.20.30.40 domain.com 10.20.30.40 - - - how can i prevent this problem? this problem tease me and my server, because induce apache to work unremitting. Ram Usage is: 65%!
When I go to the [URL] ... is loads the index page just fine. When I go use the [URL] .... it still loads the index page, I don't want it to do that, I want it it to load test.php. When I click on a link (for say [URL] ....) on index.php the url stays as [URL] ....; I actually want it to show [URL] .... (while I test things at least). Is this a .htaccess issue?
Our web server encounter a problem lately, that an IP address in India repetitively sent requests that uses up all connections available in Apache. All connections appear to be in W state. The connections are not terminated by Apache even though timeout has been set to lower 30 seconds. Similarly, MySQL connections also are not dropped until Apache is restarted.
I would like to know what is the maximum number of Apache connections a Server can handle? Does this depends on the Config of the Server? Is it Possible for a server to handle more than 2500 Active Apache connections without timeout / connection failure / slowness?
I've got an older "Super Server P4" series server @ ThePlanet - it's been a great box for years. We recently upgraded php4 to php5 and did a mysql upgrade as well. Ever since, randomly, without warning, Apache stops terminating connections, so the max connections fills up, and httpd won't respond. Apache doesn't stop running, it just max's out and stops accepting new connections, so customers assume the server is "down", although email/FTP work fine.
The server never crashes, the loads stay down, but httpd just fills up and won't accept more connections. We can't increase max connections (we actually DECRESED IT), because they'll just keep piling up, never terminating, and then ultimately, it will crash the box.
My admin has worked for nearly 2 weeks trying to figure it out, and Scott (AtomicRocketTurtle) and his team have been evaluating it for about a week - it's happened 3x in 2 days ... last night, httpd quit responding for about 7+ hours and since we didn't have httpd monitoring, we never knew until the office opened this AM and I had two very angry customers. Scott suspects it may be some rogue application that triggers it that didn't affect it prior to the php5/mysql upgrades.
Both Scott and Parm, my admin, have about thrown in the towel and are recommending we retire the server and migrate to a new box.
It's older - much older .. I'm pasting specs below, RHEL3, Plesk 7.5 .. but just wonder, before retiring an old server that was RUNNING GREAT prior to the upgrade, maybe someone has seen this happen before?
If so - PLEASE LET US KNOW before I spend the $$$ on a new box.
I am trying to figure out how Apache is working on windows 7 - so far so good - but how do I set restrictions and limitations on bandwidth usage and max number of IP-connections?
[Thu Sep 27 08:59:12 2007] [error] [client 41.221.18.199] Invalid URI in request entersomenicedatastringshereidontthinkthisislongenoughsoiwilladdmorehehe
707671880723
[Thu Sep 27 08:59:12 2007] [error] [client 60.54.153.233] mod_security: Access denied with code 403. Pattern match "!HTTP\/(0\.9|1\.0|1\.1)$" at THE_REQUEST [id "340000"][rev "1"] [msg "Bad HTTP Protocol"] [severity "1"] [uri ""] mod_security: Access denied with code 403. Pattern match "!HTTP\/(0\.9|1\.0|1\.1)$" at THE_REQUEST [id "340000"][rev "1"] [msg "Bad HTTP Protocol"] [severity "1"] [uri ""] [Thu Sep 27 08:59:49 2007] [error] [client 80.78.48.132] File does not exist: /usr/local/apache/htdocs/403.shtml [Thu Sep 27 08:59:49 2007] [error] [client 87.110.121.99] Invalid URI in request entersomenicedatastringshereidontthinkthisislongenoughsoiwilladdmorehehe
607938289643
[Thu Sep 27 08:59:50 2007] [error] [client 220.116.89.243] Invalid URI in request entersomenicedatastringshereidontthinkthisislongenoughsoiwilladdmorehehe
309682726861
---
Mod_security, mod_evasive are installed of course but they cant block this from happening which stops the apache from working.
I've even asked LT to install Cicso ASA 5505 as they told me it will help much, but seems like they don't know how to manage it, so that the server went down every few min for 24 hour till I asked them to uninstall it.
Does the Cicso firewall really helps in that case or what ? if so, what provider should I move to that have experienced staff and can get it work in right way?
I've been having trouble the past few days with someone who's been "attacking" my site so to speak by continuously downloading very large files with as many connections as (he) can open. I operate a large downloads site for computer games, this person has selected the largest files (like 400-500MB). Not sure of the real intent other than to clog up my bandwidth capacity. Also he appears to be using proxies since as soon as I ban one, another shows up seeminly from China.
Anyway, I have mod_bw and I've limited the number of connections in the downloads area to 2. While that works ok, his tool uses threads like a download manager would and he's using up 30-40 child threads for his 2 file downloads.
So 2 questions,
Is there anyway to not only limit file downloads to 2, but limit the number of connections per request? Many of my visitors do use download managers and I'd like for them to continue using them but use a reasonable number of threads like 6 or 8, but not 30.
Also, is there a way to restrict access to someone using a proxy?
Is there a way to tar a compiled apache/php installation and move it to another identical server?
If on the first server I specify all the configure options for both apache and php to point to /usr/local/apache2 for example, and then tar apache2 dir and untar it on another server will everything work just like it should? Or do I need to compile apache/php from scratch on the second server.
It would be nice to just be able push the apache/php tar file on to the new provisioned server and be ready to go.
Has anyone done this before, what is the best way to do this and are there any issues to look for.
I have a 2,3 and 5GB files that I need to download but everytime they appear as 1.4GB for some reason. I've tried IE, Mozilla and opera and the same result each time.
Is there some sort of limit to the size of a file that apache will serve?
I have a question related DDOS attack. My hosting provider told me that my Server was DDos attacked few days ago. But in those days my server worked fine only apache server was down. The strange fact is that in the same day with this "DDOS attack" one of theyr admins worked something on SSL section of my server and during this operation the SSL hosts were down and httpd worked slow.
Inthe passed 3 months httpd worked very slow and after 2-3 restarts of httpd service the load droped down below 3.00 . I believe theyr httpd service was already with problems and that SSL configuration cause that apache failure in that day with "ddos attack"
I repeat in that day ONLY ssl hosts worked fine and non SSL hosts were down.
It's possibile on DDOS attack that load to be unde 0.5 , SSL hosts to work fine, FTP, Mail and other stuf to work like there is nobody on server (VERY FAST)?