Denial of Service due to multiplication of httpd running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Madriva 2010.2 running httpd apache 2.2.22
I am having trouble with httpd requests staying active and multiplying. I just came off having 160 versions of httpd running and completely slowing 
down the system. I upgraded to 2.2.22 and it still happens (it went from the
normal 10 servers running to 15 in about a 1/2 hour.) According to the start
times, these seem to be associated with totally bizarre requests from google
(forged addresses?)

Eg, here is one entry from the ps auxww  list

apache   18137  0.0  0.5  26844  5744 ?        S    09:34   0:00 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DAPACHE2 -DHAVE_PERL -DHAVE_PHP5 -DHAVE_ACTIONS -DHAVE_ALIAS -DHAVE_ASIS -DHAVE_AUTH_BASIC -DHAVE_AUTH_DIGEST -DHAVE_AUTHN_ALIAS -DHAVE_AUTHN_ANON -DHAVE_AUTHN_DBM -DHAVE_AUTHN_DEFAULT -DHAVE_AUTHN_FILE -DHAVE_AUTHZ_DBM -DHAVE_AUTHZ_DEFAULT -DHAVE_AUTHZ_GROUPFILE -DHAVE_AUTHZ_HOST -DHAVE_AUTHZ_OWNER -DHAVE_AUTHZ_USER -DHAVE_AUTOINDEX -DHAVE_BUCKETEER -DHAVE_CASE_FILTER -DHAVE_CASE_FILTER_IN -DHAVE_CERN_META -DHAVE_CGI -DHAVE_CGID -DHAVE_CHARSET_LITE -DHAVE_DIR -DHAVE_DUMPIO -DHAVE_ECHO -DHAVE_ENV -DHAVE_EXAMPLE -DHAVE_EXPIRES -DHAVE_EXT_FILTER -DHAVE_FILTER -DHAVE_HEADERS -DHAVE_IDENT -DHAVE_IMAGEMAP -DHAVE_INCLUDE -DHAVE_INFO -DHAVE_LOG_CONFIG -DHAVE_LOG_FORENSIC -DHAVE_LOGIO -DHAVE_MIME -DHAVE_MIME_MAGIC -DHAVE_NEGOTIATION -DHAVE_OPTIONAL_FN_EXPORT -DHAVE_OPTIONAL_FN_IMPORT -DHAVE_OPTIONAL_HOOK_EXPORT -DHAVE_OPTIONAL_HOOK_IMPORT -DHAVE_REWRITE -DHAVE_SETENVIF -DHAVE_SPELING -DHAVE_SSL -DHAVE_STATUS -DHAVE_SUBSTITUTE -DHAVE_SUEXEC -DHAVE_UNIQUE_ID -DHAVE_USERTRACK -DHAVE_VERSION -DHAVE_VHOST_ALIAS
At that time in the access_log I have a whole bunch of entries like 
::1 - - [22/May/2012:09:34:22 -0700] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.22 (Mandriva Linux/PREFORK-0.1mdv2010.2) (internal dummy connection)"
In the past I have also had connections like 66.249.68.198 - - [22/May/2012:09:35:25 -0700] "GET /aggregator/www.umsl.edu/~keelr/010/www.twitter.com/www.iaea.org/Publications/Documents/Board/2008/www.environment-agency.gov.uk/homeandleisure/floods/node/www.guardian.co.uk/business/2012/feb/21/node/node/22?page=11 HTTP/1.1" 200 58609 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 

associated with the times of the startup of those persistant connections. This
looks to be a totally bizzare GET. since that address certainly has nothing to
do with my site.

In the error log around that time I get nothing that looks suspicious

[Tue May 22 09:31:54 2012] [error] [client 119.63.196.27] File does not exist: /usr/local/http/htdocs/robots.txt
[Tue May 22 09:32:25 2012] [error] [client 86.68.18.171] File does not exist: /usr/local/http/htdocs/favicon.ico
[Tue May 22 09:36:47 2012] [error] [client 89.144.206.157] File does not exist: /usr/local/http/htdocs/thirdman/reichs/blank.gif, referer: http://axion.physics.ubc.ca/thirdman/reichs/reichsbruecke.htm

--
William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux