Security Incidents mailing list archives
Re: Jammed WebSite
From: Kee Hinckley <nazgul () SOMEWHERE COM>
Date: Wed, 26 Jul 2000 17:58:26 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In a past life I twice helped build Boston's First Night site. Both times the ISP was overloaded as midnight approached. At 1:57 PM -0400 7/26/00, David Hibbeln wrote:
> no evidence of DoS or other attack. One administrator stated that due tothe volume of hits he could not access the machine, had to turn it off,> and then quickly get inside for review before the hits built up
That's definitely consistent with a server overload. The issue is that some servers may not be configured to throttle connections properly. If they are so configured, then when the load and number of connections hit a certain level it would just start refusing connections. However if they *don't* throttle, all hell breaks lose. The machine starts running out of memory resources, causing simple operations to take huge amounts of time. The problem quickly gets worse, because as soon as it passes that threshold, normal requests aren't processed in time, so they sit there eating up resources such as open file descriptors and sockets. Typically the only way out is to either unplug the network connection and let it settle down, or just reboot the machine.
> and provided a munged link to jya.com:http://jya.com/crypto.htmhttp://jya.com/crypto.htm Thousands of hits on this non-existent file began to appear in the error log, and there have now been tens of thousands of them (maybe in
If you can get referrer field information on that it would be helpful. I suspect you'll find they all came from a single site which had (but may not have any more) a typo in its link. It's not uncommon. Something like <a href="http://jwa.com/crypto.htmhttp://jya.com/crypto.htm</a> might cause it.
> (1) (32)Broken pipe: accept: (client socket)
Sounds like the machine ran out of sockets, or else it's forking off new processes which are promptly dieing. Is the site pure HTML, or are things being pre-processed by CGI?
> (2) [warn] child process 736 still did not exit, sending a SIGTERM
A hosed server process might cause that, or just a system load so bad that some processes didn't exit in time.
> (4) Site site1 has invalid certificate: 4999 Certificate filesdo not exist.
That's an odd one. Given everything else I'm inclined to just blame something being out of resources, but I can't speculate on the specifics. All told though, it sounds to me like a very overloaded web server. When a server starts running out of file descriptors, things start breaking everywhere. It should have been configured to throttle connections to a more appropriate level, but I don't see anything malicious in it. That said, the easiest DOS attack against a web server would be to simply overload it with web requests. However a log report on the address of visitors and the referral information should give you a reasonable indication of whether it's that. - -- Kee Hinckley - Somewhere.Com, LLC - Cyberspace Architects I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOX9fDyZsPfdw+r2CEQLNygCdEQsSFTF5SHkOoN1atJDcpdoIwhsAoM1C p0XA5BB/nzP9vlVghgIh0HQD =xpZX -----END PGP SIGNATURE-----
Current thread:
- Jammed WebSite David Hibbeln (Jul 26)
- Re: Jammed WebSite Kee Hinckley (Jul 27)