Results 1 to 4 of 4
  1. #1

    Lots of keepalive requests in Apache

    Hi,

    I have been experiencing a lot of Keepalive requests for a particular image on a particular domain. please see the lines below.

    Code:
    0-11	23393	1/63/63	K 	0.15	1	0	0.4	0.03	0.03 	195.68.185.13	mydomain.com	GET http://mydomain.com//images/logo.jpg HTTP/1.1
    1-11	23394	1/77/77	K 	0.18	1	0	0.4	0.05	0.05 	122.164.58.63	mydomain.com	GET http://mydomain.com//images/logo.jpg HTTP/1.1
    2-11	23395	1/42/42	K 	0.76	0	0	0.4	0.17	0.17 	89.139.214.74	mydomain.com	GET http://mydomain.com//images/logo.jpg HTTP/1.1
    3-11	23397	1/57/57	K 	0.04	0	0	0.4	0.02	0.02 	82.199.98.229	mydomain.com	GET http://mydomain.com//images/logo.jpg HTTP/1.1
    4-11	23398	1/46/46	K 	0.27	0	0	0.4	0.04	0.04 	217.150.55.41	mydomain.com	GET http://mydomain.com//images/logo.jpg HTTP/1.1
    These are just a few lines from the top.
    How can i prevent this from happening.. it seems as a SYN Flood, or maybe a DDoS.

    Suggestions are very much appreciated.
    Robert.

  2. #2
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    Well, you have a few options.

    One: Do you need KeepAlive? If not, then simply turn it off.

    Two: Is your KeepAlive timeout set too high? Try lowering it to 5 seconds as KeepAlive is really only needed to the current connection to quickly get all its content. No sense in leaving it open once they finish loading.

    Three: Is your KeepAlive max requests set too high? A value around 100 is good for most pages and will prevent a host from keeping a KeepAlive session open indefinitely.

    If this is a DOS, as you suggested it may be, check out mod_evasive. This can be used to rate-limit incoming connections to Apache and issuing blocks on IP's it determines to be flooding your server (outputs 403 Forbidden errors for a set length of time).
    Jakiao

  3. #3
    Join Date
    Aug 2002
    Location
    Canada
    Posts
    665
    What's the user-agent used in the httpd access logs related to these connections?
    circlical - hosting software development
    forums * blog

  4. #4
    Join Date
    Dec 2006
    Posts
    477
    It could be that someone has hotlinked the image from a 3rd party site - e.g. using it as a forum avatar. Therefore, since it is only file hit on your server, it will always be the one shown in normaly keep alive requests.

    Apart from the above suggestions, if you don't want hotlinking on your server, you can add rules to mod_rewrite to prevent it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •