On 08/01/2013 04:39 AM, Grant wrote:
Two different things come to mind. Kingcope found an Apache byterange vulnerability and the PoC code he wrote for it exhausts the resources on a server running Apache. Only 1 instance of his perl script had to be ran. LOIC is another that could possible DoS your server from one source. WhatIP address was hitting your box when this happened?I'd rather not post the IP if that's OK. I did notice my access_log entries were out of chronological order for the IP address inquestion. Does that indicate a Slowloris attack? Maybe it's just the result of the server bogging down in response to so many requests in ashort amount of time. So I'm sure I understand, a regular browser or unsophisticated script shouldn't be able to interrupt apache service by simply requesting a large number of pages in a short amount of time? If not, how does apache prevent that from happening? - GrantYou wouldn't keep a syn proxy rule enabled all the time; only under a DoSattack. You could also implement ModSecurity.ModSecurity looks good and I think it works with nginx as well as apache. Is everyone who isn't running OSSEC HIDS or ModSecurity vulnerable to a single client requesting too many pages and interrupting the service? - GrantAlso, you should be able to limit simultaneous client connections withyourfirewall and pass the traffic in a syn proxy state. There are numerousways to achieve this.Is that the best way to go besides OSSEC HIDS? I can imagine thatsort of thing could cause problems. - GrantYou can always compile from source ;) What version of Apache are you running? On 07/29/2013 02:59 AM, Grant wrote:Was it just an IP exhausting the apache service with too manyconnections? What do you see in the access logs? I use OSSEC HIDSon my apache servers to mitigate this.In the access log I see the same IP made many requests during the service interruption and I think that exhausted the apache service. It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is thereanother way to prevent this sort of thing? - GrantMy server has 4GB RAM and uses nginx as a reverse proxy to apache.Alittle while ago my website became inaccessible for about 30minutes.I checked my munin graphs and it looks like apache processesspiked toabout 29 during this time which is many times greater than usual.Ihave MaxClients at 30 and the error log verifies that MaxClientswasnot reached. The strange part is system disk latency shows aspikeduring the interruption which is only very slightly greater thanotherspikes which did not interrupt service. System CPU, memory, andswap usage don't show anything interesting at all.Does this make sense to anyone? Should I decrease MaxClients?- GrantI've looked over my access_log and I can see there is a particularIPwhich was making many requests during the interruption. Sincemunindoes not show there was an excessive amount of memory or CPU usage,lowering MaxClients won't help? - Grant--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|