Two different things come to mind. Kingcope found an Apache byterange
vulnerability and the PoC code he wrote for it exhausts the resources on
a server running Apache. Only 1 instance of his perl script had to be
ran. LOIC is another that could possible DoS your server from one
source. What IP address was hitting your box when this happened?
On 07/30/2013 02:25 AM, Grant wrote:
You wouldn't keep a syn proxy rule enabled all the time; only under
a DoS
attack. You could also implement ModSecurity.
ModSecurity looks good and I think it works with nginx as well as
apache. Is everyone who isn't running OSSEC HIDS or ModSecurity
vulnerable to a single client requesting too many pages and
interrupting the service?
- Grant
Also, you should be able to limit simultaneous client connections
with
your
firewall and pass the traffic in a syn proxy state. There are
numerous
ways
to achieve this.
Is that the best way to go besides OSSEC HIDS? I can imagine that
sort of thing could cause problems.
- Grant
You can always compile from source ;)
What version of Apache are you running?
On 07/29/2013 02:59 AM, Grant wrote:
Was it just an IP exhausting the apache service with too many
connections? What do you see in the access logs? I use OSSEC
HIDS on
my
apache servers to mitigate this.
In the access log I see the same IP made many requests during
the
service interruption and I think that exhausted the apache
service.
It looks like there isn't a Gentoo ebuild for OSSEC HIDS. Is
there
another way to prevent this sort of thing?
- Grant
My server has 4GB RAM and uses nginx as a reverse proxy to
apache. A
little while ago my website became inaccessible for about 30
minutes.
I checked my munin graphs and it looks like apache processes
spiked
to
about 29 during this time which is many times greater than
usual. I
have MaxClients at 30 and the error log verifies that
MaxClients was
not reached. The strange part is system disk latency shows a
spike
during the interruption which is only very slightly greater
than
other
spikes which did not interrupt service. System CPU, memory,
and
swap
usage don't show anything interesting at all.
Does this make sense to anyone? Should I decrease
MaxClients?
- Grant
I've looked over my access_log and I can see there is a
particular IP
which was making many requests during the interruption. Since
munin
does not show there was an excessive amount of memory or CPU
usage,
lowering MaxClients won't help?
- Grant
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
