apache DOS?!?
Hi List!
Since a few days i experienced strange behaviour of the apache running
on my home-PC (with debian-linux stable/testing, apache 1.3.27).
The connection to the internet is performed via a LAN-ADSL-Modem (768/128).
What i first realized was, that line-performance goes down extremly when
the apache is running. First i thought that it would produce too much
load (cause of misconfig/BUG) but after a look at top showed that top used
the most CPU-time on the machine.
A ping showed more:
no apache running, pinging my uni's webserver took 40ms
with apache running, the ping-time rised up to 4s (min. 1s).
This is strange I thought... Is there someone connecting to the web-server each time it is started???
So the next thing to do was to netstat:
sonicx.homeunix.net is my PC, anger.homeunix.net a kind of
backup-machine (in the LAN) and 81.223.154.109 the addresss of
sonicx to the world.
And - tataaa - here you can see the connections to the following hosts:
o 212.182.162.135:3116
o nchobo04.telenet-:46522
o webcacheH10a.cach:17023
tcp 0 27740 81.223.154.109:www 212.182.162.135:3116 ESTABLISHED16745/apache
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:933 ESTABLISHED8921/sshd
tcp 0 0 81.223.154.109:www 161.148.207.94:46692 TIME_WAIT -
tcp 0 0 sonicx.homeunix.ne:1030 anger.homeunix.net:x11 ESTABLISHED638/opera
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:892 ESTABLISHED13409/sshd: klaus [
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:660 ESTABLISHED1160/sshd
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:652 ESTABLISHED1175/sshd
tcp 0 14480 81.223.154.109:www nchobo04.telenet-:46522 ESTABLISHED16717/apache
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:972 ESTABLISHED881/sshd
tcp 0 26064 81.223.154.109:www webcacheH10a.cach:17023 ESTABLISHED16719/apache
tcp 0 0 172.16.246.216:3142 inode.homeunix.net:1723 ESTABLISHED16373/pptp
tcp 0 14480 81.223.154.109:www nchobo04.telenet-:46519 ESTABLISHED16727/apache
tcp 1 0 81.223.154.109:3160 63.65.120.40:www CLOSE_WAIT 638/opera
tcp 0 24616 81.223.154.109:www nchobo04.telenet-:46526 ESTABLISHED16718/apache
tcp 0 26064 81.223.154.109:www nchobo04.telenet-:46518 ESTABLISHED16725/apache
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:1008 ESTABLISHED13020/sshd: klaus [
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:835 ESTABLISHED622/sshd
tcp 0 39096 81.223.154.109:www nchobo04.telenet-:46285 ESTABLISHED16734/apache
tcp 0 0 sonicx.homeunix.net:ssh anger.homeunix.net:683 ESTABLISHED13035/sshd: klaus [
tcp 0 33304 81.223.154.109:www nchobo04.telenet-:46517 ESTABLISHED16721/apache
tcp 1 0 81.223.154.109:3162 ims.laserlink.net:https CLOSE_WAIT 638/opera
tcp 0 18824 81.223.154.109:www nchobo04.telenet-:46524 ESTABLISHED16720/apache
The second column is the Send-Q...
An EARLIER run of netstat with the -n option resulted in this
Hosts/IP-Addresses:
sonicx:~# host 67.101.28.89
Name: h-67-101-28-89.NYCMNY83.dynamic.covad.net
Address: 67.101.28.89
sonicx:~# host 195.92.67.76
Name: webcacheH12a.cache.pol.co.uk
Address: 195.92.67.76
Here are traceroutes
sonicx:~# traceroute h-67-101-28-89.NYCMNY83.dynamic.covad.net
traceroute to h-67-101-28-89.NYCMNY83.dynamic.covad.net (67.101.28.89), 30 hops max, 38 byte packets
1 LNS3-ix-fae-3-e.vie-shut.inode.at (62.99.171.188) 42.059 ms 34.632 ms 33.142 ms
2 gw-ix-fae-3-001.vie-shut.inode.at (62.99.171.185) 34.261 ms 34.228 ms 37.286 ms
3 GE.inode.at (62.99.170.5) 36.309 ms 53.962 ms 33.624 ms
4 POS-0-0-1.Frankfurt-Vienna.inode.at (62.99.170.86) 50.220 ms 50.287 ms 52.008 ms
5 GigabitEthernet2-0-164.ipcolo1.frankfurt1.level3.net (62.67.38.17) 49.318 ms 50.535 ms 47.442 ms
6 ae0-51.mp1.Frankfurt1.Level3.net (195.122.136.1) 52.279 ms 52.276 ms 46.203 ms
7 so-3-0-0.mp2.London1.Level3.net (212.187.128.57) 63.697 ms 66.605 ms 62.556 ms
8 so-1-0-0.bbr2.NewYork1.level3.net (212.187.128.153) 128.071 ms 130.989 ms 129.844 ms
9 gige7-0.ipcolo2.NewYork1.Level3.net (64.159.17.36) 129.582 ms 129.791 ms 131.075 ms
10 fa1-0-0.nylevel3-1.sonyonline.net (63.211.32.70) 136.934 ms 130.833 ms 133.926 ms
11 * * *
...
29 * * *
30 * * *
sonicx:~# traceroute webcacheH12a.cache.pol.co.uk
traceroute to webcacheH12a.cache.pol.co.uk (195.92.67.76), 30 hops max, 38 byte packets
1 LNS3-ix-fae-3-e.vie-shut.inode.at (62.99.171.188) 31.824 ms 34.415 ms 31.103 ms
2 gw-ix-fae-3-001.vie-shut.inode.at (62.99.171.185) 31.427 ms 35.494 ms 41.369 ms
3 GE.inode.at (62.99.170.5) 36.375 ms 35.609 ms 37.630 ms
4 POS-0-0-1.Frankfurt-Vienna.inode.at (62.99.170.86) 51.211 ms 51.714 ms 61.370 ms
5 GigabitEthernet2-0-164.ipcolo1.frankfurt1.level3.net (62.67.38.17) 46.524 ms 52.141 m
s 47.390 ms
6 ae0-53.mp1.Frankfurt1.Level3.net (195.122.136.65) 52.757 ms 47.399 ms 47.491 ms
7 so-2-0-0.mp1.London1.Level3.net (212.187.128.50) 62.426 ms 61.058 ms 68.281 ms
8 gige7-0.ipcolo2.London1.Level3.net (212.187.131.132) 62.803 ms 66.964 ms 67.558 ms
9 195.50.116.190 (195.50.116.190) 63.072 ms 64.111 ms 66.842 ms
10 pos1-0.lettuce.as5388.net (195.92.55.117) 72.858 ms 67.051 ms 67.931 ms
11 * * *
...
29 * * *
30 * * *
Has anybody an idear what happens here? Is this kind of a
cache-synchronization (I don't have a squid running)?
When I block the hosts with iptables, no 3 minutes later some other
hosts cause the same behavior.
thanx,
Klaus
--
Klaus Siegesleitner - klaus@came.sbg.ac.at
CAME (Center of Applied Molecular Engineering)
University of Salzburg, Jakob-Haringerstr. 5, A-5020 Salzburg
Reply to: