Unfortunately connlimit is missing from both debian and ubuntu at the
moment:
https://bugs.launchpad.net/ubuntu/+source/linux-source-2.6.20/+bug/60439/+activity
Shame, it looked like that was going to be such a neat way to fix the
problem...
Graham
Hamilton Vera wrote:
It is just a target name
$IPTABLES -N logdropdos
$IPTABLES -A logdropdos -j LOG --log-level INFO --log-prefix "[logdropdos]"
$IPTABLES -A logdropdos -j DROP
Just to make easier the log analisys, you can also use
"-j DROP" instead.
Hamilton Vera
int Administrator (char Network[],char ComputationalSystems[]);
http://antispam.br/
"Google is my shepherd, no want shall I know"
On Thu, 21 Jun 2007, graham wrote:
Hamilton Vera wrote:
You can try to use iptables, to limit the number of TCP connections
$IPTABLES -A INPUT -p TCP -i $WAN -s 0/0 --syn --dport 80 -m
connlimit --connlimit-above 10 -j logdropdos
Sounds good. What's the 'logdropdos'? I don't seem to have it, and
google gives me nothing. Is there a reason not just to use 'REJECT'?
Thanks
Graham
Or implement a Freebsd firewall with QoS, applying shapes to parallel
TCP connections.
I hope this help.
On Thu, 21 Jun 2007, graham wrote:
Hi,
I've just become involved with a system running apache2.0.55 on
ubuntu with linux 2.6.17.
The system is currently unable to run due to repeated downloads of a
large number of pdfs by systems located in China. These are hogging
all sockets and eventually causing apache to die (I'm appending more
details below in case I've got the wrong end of the stick). The ip
address of these systems varies; they are not a single block,
although they are obviously working together (different ip addresses
will ask for sequentially related pdfs). Each ip address will
request multiple files in parallel.
I'm told that the limit_ipconn module would solve my problem by
limiting the simultaneous accesses from any one ip address. There is
no version of this available for apache2 on ubuntu. I'm wondering if
this is because similar abilities have been built into apache2
itself, but haven't managed to find any.
Does anyone have any suggestions?
Thanks
Graham
-----------------------------------------------
Notes from log:
The system is running ok, not at particularly heavy load (<1.0), and
apache is apparently running ok and not reporting errors [corrected
later].
Tailing the apache log file shows that the only accesses to the
system are GETs of pdfs from two chinese systems, 218.4.152.91 and
222.218.254.221, which are obviously running the same software.
These systems are trying to systematically work their way through
downloading all chinese pdfs. When a pdf is too large and the
download times out, they immediately try again (at any one moment
each system is trying to download 3 or 4 pdfs).
If I restart apache, I immediately get accesses from all over the
place, including the 2 chinese systems. Eventually the Chinese
accesses capture all the apache processes, and nothing else can get
access.
'Solution' found for this: turn apache off for a few minutes. The
chinese systems went away, and all was fine again.
One hour later ΒΆ
The chinese systems, and the problems, returned. A little more data
this time.
Once the chinese systems are established, netstat shows that they
occupy most sockets but are mostly in CLOSE_WAIT state. All other
requests are stuck in SYNC_RECV.
After this continues for a while the apache processes gradually
start to die off with the following sequence:
alert] (11): setuid: unable to change to uid: 33 (33 is www-data)
[alert] Child 691 returned a Fatal error... Apache is exiting!
[emerg] (43): couldn't grab the accept mutex
semop: Invalid argument
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
