LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-15-2006, 10:11 AM   #1
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Rep: Reputation: 53
Apache is flooded with hundreds of readings for vhost


Apache is flooded with hundreds of readings for vhost

When I goto the apache server status page it shows hundreds of:
13-2 22464 0/177/5517 R 6.63 3 0 0.0 4.32 53.65 ? ? ..reading..

Appearently a script is half connecting to apache and then leaving the connection open and connecting again until Max Clients is hit

I have Timeout set to 5 and keep alive off. I also have mod dos evasive installed.

How can I get apache to drop the connections that are "reading"?
 
Old 02-16-2006, 11:51 PM   #2
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
check with netstat if the requests all come from the same ip. if so, then firewall it.
 
Old 02-17-2006, 03:35 AM   #3
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Original Poster
Rep: Reputation: 53
They are from hundreds of different IPs
 
Old 02-17-2006, 01:37 PM   #4
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Quote:
Originally Posted by abefroman
They are from hundreds of different IPs
That would be called a DDoS (Distributed Denial of Service) attack. This board, and The Internet in general, are filled with info on how to tweak Apache (and Linux in general) to survive DDoS.
 
Old 02-17-2006, 04:06 PM   #5
abefroman
Senior Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS
Posts: 1,277

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by Darin
That would be called a DDoS (Distributed Denial of Service) attack. This board, and The Internet in general, are filled with info on how to tweak Apache (and Linux in general) to survive DDoS.
I have made all those tweaks, how can I stop this one level above the server?
 
Old 02-17-2006, 05:18 PM   #6
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Quote:
Originally Posted by abefroman
I have made all those tweaks, how can I stop this one level above the server?
Buy a powerful firewall?
http://www.juniper.net/products/integrated/
http://www.cisco.com/en/US/products/...evc/index.html
http://www.extremenetworks.com/produ...es/Default.asp
http://www.google.com/search?hl=en&q=hardware+firewall
 
Old 02-20-2006, 05:05 AM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 53
If the packets arrive on your network/webserver, even if you refuse all of them or rate-limit them with the most powerfull firewall on earth, they still arrive.. and if the attackers have a bigger bandwidth than you, it will overflow your bandwidth.

And in your case, its not even spoofing or icmp flooding, no, its just legitimate web traffic.

As said in another thread, only the ISP can do something about it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache ssl on only *one* vhost belorion Linux - Networking 1 12-01-2005 04:59 PM
Apache: Alias is working on ssl vhost but not on mass vhost jonavogt Linux - Software 0 06-07-2005 03:05 PM
vhost in apache jelgavchik Linux - Networking 3 02-07-2005 07:41 PM
Apache: libhttpd.ep -> hundreds of defunct, killing my server praefex Linux - General 0 02-10-2004 03:14 PM
apache 1.3 vhost z4Rilla Linux - Software 0 08-03-2003 07:44 AM


All times are GMT -5. The time now is 06:25 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration