[WBEL-users] DOS attack on Apache?

Johnny Hughes mailing-lists at hughesjr.com
Mon Jun 20 07:01:19 CDT 2005 

On Mon, 2005-06-20 at 13:41 +0200, Benedikt Carda wrote:
> I have deactivated the CGI module and also all but one virtualhosts (on 
> the one still active there are no scripts running) but the problem 
> persists. Therefore I think the problem does not come from a runaway 
> script. Any further ideas?
> 
> Thanks,
> Benedikt.
> 
> 

OK ... no idea what is causing your problem, but it seems that it only
happens on a couple URLs, correct?

If this is the case, what is similar on those URLs that is not normal
HTML, and is not on pages that are working .. ie, pieces of javascript
code, java applets, perl scripts called, etc.

> Lem Tomas wrote:
> 
> > runaway script?
> >
> > Benedikt Carda wrote:
> >
> >> Dear All,
> >>
> >> me again. I have found out, that it does not seem to be a DOS attack 
> >> against HTTP. The requested files and directories are too different 
> >> (including different virtual hosts, etc.) to be an attack. 
> >> Furthermore the log entries show, that only a few request come. 
> >> Therefore, the actual problem is, that a child process does not kill 
> >> itself after fulfilling the request. Therefore the max child requests 
> >> limit is reached after just 10 to 15 seconds and Apache does not 
> >> deliver any more documents. How can this happen and how can I get 
> >> Apache to work again?
> >>
> >> Best Regards,
> >> Benedikt.
> >>
> >>
> >> Benedikt Carda wrote:
> >>
> >>> Dear All,
> >>>
> >>> I am running WBEL 3 including Apache  on a box. Since four days as 
> >>> soon as I turn on Apache it reaches the maximum number of child 
> >>> processes in just a few seconds. Accessing a website on the server 
> >>> is awefully slow. I looked into the logs and found out, that many 
> >>> people try to reach a certain URL on the server (on one virtual 
> >>> host). First I renamed the directory to another name and the problem 
> >>> was solved. But the requests came back for another directory after a 
> >>> day. I tried to rename this one too, but unfortunately this time it 
> >>> did not work. The requests still produce the reach of the maximum 
> >>> number of child processes.
> >>>
> >>> It seems that somehow the child processes do not exit after 
> >>> fullfilling the request. I tried the following:
> >>>
> >>> * Disconnect from internet, restart Apache
> >>> Result: Normal operations, nothing special
> >>> * Reconnect to the internet:
> >>> Result: A few seconds and maximum number of child processes was reached
> >>> * Disconnect again from internet, not restarting Apache
> >>> Result: Still the child processes did not exit
> >>>
> >>> Also when restarting the Apache server I get a whole bunch of these 
> >>> kind of entries in the error log:
> >>>
> >>> [Mon Jun 20 08:32:21 2005] [warn] child process 975 still did not 
> >>> exit, sending a SIGTERM
> >>>
> >>> Does anybody know what to do? Thanks for help in advance.
> >>>
> >>> Best Regards,
> >>> Benedikt.
> >>
> >>
> 
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users at beau.org
> http://beau.org/mailman/listinfo/whitebox-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://beau.org/pipermail/whitebox-users/attachments/20050620/f5ec104b/attachment.bin

More information about the Whitebox-users mailing list