LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux > Linux - Security
Reload this Page Apache is flooded with hundreds of readings for vhost
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Thread Tools
Old 02-15-2006, 10:11 AM   #1
abefroman
Member
Contributing Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS w/Cpanel
Posts: 906
Thanked: 3
Apache is flooded with hundreds of readings for vhost

[Log in to get rid of this advertisement]
Apache is flooded with hundreds of readings for vhost

When I goto the apache server status page it shows hundreds of:
13-2 22464 0/177/5517 R 6.63 3 0 0.0 4.32 53.65 ? ? ..reading..

Appearently a script is half connecting to apache and then leaving the connection open and connecting again until Max Clients is hit

I have Timeout set to 5 and keep alive off. I also have mod dos evasive installed.

How can I get apache to drop the connections that are "reading"?
abefroman is offline     Reply With Quote
Old 02-16-2006, 11:51 PM   #2
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 547
Thanked: 0
check with netstat if the requests all come from the same ip. if so, then firewall it.
pk21 is offline     Reply With Quote
Old 02-17-2006, 03:35 AM   #3
abefroman
Member
Contributing Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS w/Cpanel
Posts: 906
Thanked: 3

Original Poster
They are from hundreds of different IPs
abefroman is offline     Reply With Quote
Old 02-17-2006, 01:37 PM   #4
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,022
Thanked: 0
Quote:
Originally Posted by abefroman
They are from hundreds of different IPs
That would be called a DDoS (Distributed Denial of Service) attack. This board, and The Internet in general, are filled with info on how to tweak Apache (and Linux in general) to survive DDoS.
Darin is offline     Reply With Quote
Old 02-17-2006, 04:06 PM   #5
abefroman
Member
Contributing Member
 
Registered: Feb 2004
Location: Chicago
Distribution: CentOS w/Cpanel
Posts: 906
Thanked: 3

Original Poster
Quote:
Originally Posted by Darin
That would be called a DDoS (Distributed Denial of Service) attack. This board, and The Internet in general, are filled with info on how to tweak Apache (and Linux in general) to survive DDoS.
I have made all those tweaks, how can I stop this one level above the server?
abefroman is offline     Reply With Quote
Old 02-17-2006, 05:18 PM   #6
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,022
Thanked: 0
Quote:
Originally Posted by abefroman
I have made all those tweaks, how can I stop this one level above the server?
Buy a powerful firewall?
http://www.juniper.net/products/integrated/
http://www.cisco.com/en/US/products/...evc/index.html
http://www.extremenetworks.com/produ...es/Default.asp
http://www.google.com/search?hl=en&q=hardware+firewall
Darin is offline     Reply With Quote
Old 02-20-2006, 05:05 AM   #7
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,313
Thanked: 3
If the packets arrive on your network/webserver, even if you refuse all of them or rate-limit them with the most powerfull firewall on earth, they still arrive.. and if the attackers have a bigger bandwidth than you, it will overflow your bandwidth.

And in your case, its not even spoofing or icmp flooding, no, its just legitimate web traffic.

As said in another thread, only the ISP can do something about it.
nx5000 is offline     Reply With Quote

Reply

Bookmarks


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache ssl on only *one* vhost belorion Linux - Networking 1 12-01-2005 04:59 PM
Apache: Alias is working on ssl vhost but not on mass vhost jonavogt Linux - Software 0 06-07-2005 03:05 PM
vhost in apache jelgavchik Linux - Networking 3 02-07-2005 07:41 PM
Apache: libhttpd.ep -> hundreds of defunct, killing my server praefex Linux - General 0 02-10-2004 03:14 PM
apache 1.3 vhost z4Rilla Linux - Software 0 08-03-2003 07:44 AM


All times are GMT -5. The time now is 04:25 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap - LinuxQuestions.org - Linux Forums
Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
RSS2  LQ Podcast
RSS2  LQ Radio
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration