-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nico,
On 12/13/12 4:29 AM, Nico Peters wrote: > First, some information to our setup: Manager configuration? > We have recognized an unusually high number of disk operations on > one of our servers and investigated the origin. We found out that > there was one tomcat session file that grew already to 235GB and > was increasing quickly (all other sessions on our server are less > than 10KB). We then removed that session file, but it was recreated > (starting from 0 bytes) and was again growing quickly. We then did > a backup of that file and removed it again. After the second > removal the session file didn't appear again. The server returned > to normal operation. Did the session file represent an actual session that Tomcat was still maintaining? Did you inspect the HttpSession object to see if it contained any large piece of data (like a String containing q~"q~#...)? > I've investigated the session file and the file contained 3 lines. > I was able to recognize the data of the first two lines (the > default session parameters like lastAccessedTime as well as some > POJOs we have added to that session). But the third line was > endlessly repeating the following string: > > q~"q~#q~'q~( The same thing, over and over again, like "q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(q~"q~#q~'q~(..."? > And now my questions: Does anyone know what this string means? Not I. > How is it possible that a session can increase to this size (larger > than the heap size of tomcat)? Good question. > Is it a known tomcat bug? Not that I know of. > Is it a known type of attack? It seems like it might be an attack -- like someone trying to fill-up your session (and heap) with junk. It could also have been some component going absolutely crazy (JVM, filesystem, etc.). > How can you prevent this problem? We don't know what caused it. If it happens again, please take a few thread dumps of the JVM that is creating the file. That will help significantly. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEAREIAAYFAlDLU9QACgkQ9CaO5/Lv0PAIFgCfZoWB+DeAPWy4XWXbLiNuuys/ 6R0AoJzZdKKMUDQv5azyELTXwNSZZX9z =WUsT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
