Results 1 to 8 of 8
  1. #1

    maxclients, keepalives and 408 errors

    For a while I have been chasing down an issue with Apache server with 408 errors. It seems that some worms will open many connections per IP (20 perhaps?) that apache is hosting. A single worm would consume all daemons and for some reason the daemons don't die. This lead to a total DOS of my server.

    After much playing around with timeout values and number of clients to be supported, I found that nothing seems to work except disabling keepalives.

    Today, one rogue worm attempted 351 connections in the space of about 1 minute and my server dealt with it just fine. Every single connection ended in a 408 error.

    I have looked around the net for others that have been facing this issue and it seems that those who are hosting many ip/domains are being hit the hardest and so there hasn't been much feedback on this issue.

    I am curious if anyone else is facing this issue?

    Also, I think that there may be a bug in Apache in that keepalive timeouts don't seem work in conjunction with a 408 error? Perhaps time never starts for a connection that never completes?

    Just for the record I am running Apache 1.3.27

    Mike

  2. #2
    Which worms are you speaking about? nimda / code red?

  3. #3
    It's probably nimbda or codered and produce logs like this:

    210.107.240.206 - - [24/Mar/2002:06:11:24 -0800] "-" 408 -
    210.95.200.96 - - [24/Mar/2002:06:12:48 -0800] "-" 408 -
    210.107.240.206 - - [24/Mar/2002:06:12:54 -0800] "-" 408 -
    210.95.200.96 - - [24/Mar/2002:06:14:18 -0800] "-" 408 -
    210.107.240.206 - - [24/Mar/2002:06:14:24 -0800] "-" 408 -
    210.107.240.206 - - [24/Mar/2002:06:15:58 -0800] "-" 408 -
    210.107.240.206 - - [24/Mar/2002:06:17:28 -0800] "-" 408 -

    Hmm.. maybe bugbear? Though these hosts seem to all be running apache, maybe its slapper?

    Mike
    Last edited by mjdewitt; 11-17-2002 at 09:32 PM.

  4. #4
    Try putting this at the top of your httpd.conf file:

    RedirectMatch ^.*\.(dll|ida).* > /dev/null
    RedirectMatch ^.*\cmd\.* > /dev/null
    RedirectMatch ^.*\root\.* > /dev/null

    Be sure to restart apache after.

  5. #5
    I think that is probably a good idea to flush those IIS virus checks, but I am not sure what effect the redirect rules will have on the "408" errors.

    Mike

  6. #6
    Having the redirects in place will keep the size of your error log down and have the requests filled without the machine having to output an error message.

    A couple of other things you should change:

    1. timeout from 300 to 30
    2. keepalive from on to off
    3. insert those redirects

    This will make for a very stable machine which gets hit hard by those worms.

  7. #7

    Thanks I will add in the redirects

    I think my log reader will be grateful.

    Mike

  8. #8
    Join Date
    Dec 2001
    Posts
    33

    question

    Hi,

    I am having the exact same problem.

    1. timeout from 300 to 30
    what will this do?
    2. keepalive from on to off
    Is that safe?

    If anyway else has any feedback, please let me know. Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •