Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Monkey vs Apache!!! Fight!
- Date: Wed, 06 Apr 2011 14:15:15 +0900
- From: Raymond Wan <rwan.kyoto@example.com>
- Subject: Re: [tlug] Monkey vs Apache!!! Fight!
- References: <BANLkTimjpTEESJrzDcVNDmXQH1CEqKA11Q@example.com>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110307 Icedove/3.0.11
Hi Sach, On 06/04/11 13:07, Sach Jobb wrote:
Speaking with him on the phone, I learned that he has a regular OCN connection, somewhere in Tokyo, and some 10 client machines or so that share through a cheap firewall. Most of them are macs. As far as I can tell he wasn't doing any kind of behavior that would possibly take apache, or any other service down. He's just a normal user. So, that just left me with more questions... is there some sort of virus on one of his machines? Is the cheap fw getting confused and rapid fire sending the same request uri over and over? Is apache just buggered? So, my questions are: 1) Has anyone else experienced this sort of behavior before, and 2) What to you do to protect apache against somebody that just suddenly goes nuts with the connections, intentionally or not?
I don't have much experience with this...but I would think that it can't be Apache's fault. If a client sent a single request and Apache did something crazy like spawning processes uncontrollably, then maybe Apache or one of its modules is at fault (or your server code, depending on what it does). But your logs indicate that there were distinct accesses from a client; I don't know how you could protect yourself from that.
It is probably hard to get more information from this person, but what was he doing at the time? With all these accesses, did he notice that his network light was flashing even though he wasn't doing anything (that happens to me sometimes, so I can't blame him if he didn't think anything of it...). When you blocked his IP address, did he realize something was wrong? Sounds like Firefox was doing something behind his back?
I've worked on a web server before, but it probably can't protect itself from a DNS attack (or the unintentional equivalent). Some sites I go to restrict concurrent accesses and if they exist, they lock the IP address automatically for a few days with a message to ask you to "fix your system" :-) -- doesn't help if you have a few people going through a single gateway, but they don't seem to care...
I guess you could monitor IP addresses and the web server's load and use some heuristic and an automated e-mail to the root user...
Looking forward to any replies from others... Ray
- Follow-Ups:
- Re: [tlug] Monkey vs Apache!!! Fight!
- From: Sach Jobb
- Re: [tlug] Monkey vs Apache!!! Fight!
- References:
- [tlug] Monkey vs Apache!!! Fight!
- From: Sach Jobb
- [tlug] Monkey vs Apache!!! Fight!
- Prev by Date: [tlug] Monkey vs Apache!!! Fight!
- Next by Date: Re: [tlug] Monkey vs Apache!!! Fight!
- Previous by thread: Re: [tlug] Monkey vs Apache!!! Fight!
- Next by thread: Re: [tlug] Monkey vs Apache!!! Fight!
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |