In the past several weeks, we've been dealing with what seems to be a denial of service attack against our site. We were seeing similar messages in our logs before Apache became unresponsive. I contributed it to the HTTP/2 Rapid Reset Exploit because we ran 2.4.57 then. Last week, I upgraded to 2.4.58, but we were hit again today. In this case, these messages started about 48 hours ago until the httpd process finally became unresponsive. There wasn't a single request in the access logs from this source IP, just these repeated messages in the error log. Besides blocking the IP, can I change any settings to protect against this? Maybe a mod_qos configuration?
[Mon Nov 13 13:25:49.099207 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:26:49.102423 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:27:49.105261 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:28:49.108454 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:29:49.110794 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:30:49.113728 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:31:49.116023 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:32:49.119196 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:33:49.122450 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:34:49.124970 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:35:49.127724 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:36:49.130275 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:37:49.133470 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:38:49.136233 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:39:49.138935 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:40:49.141993 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:41:49.144710 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:42:49.147057 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:43:49.150223 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:44:49.152579 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:45:49.155121 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:46:49.158183 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:47:49.161432 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:48:49.164256 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:49:49.167331 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:50:49.170250 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:51:49.172490 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:52:49.175332 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:53:49.177549 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:54:49.180415 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:55:49.183590 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:56:49.186589 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:57:49.188894 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:58:49.191320 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 13:59:49.193887 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 14:00:49.197064 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 [Mon Nov 13 14:01:49.199302 2023] [http2:warn] [pid 124004:tid 492] [client 172.56.15.107:7282] h2_stream(124004-2515-15,CLEANUP): started=1, scheduled=1, ready=0, out_buffer=0 Thanks! Dan -- *NOTICE:* This e-mail message and all attachments transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. The contents of this e-mail are confidential and may be subject to work product privileges. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
