>Number: 5486 >Category: general >Synopsis: Server stops responding under Heavy load >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Dec 17 06:10:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.9 >Environment: Linux 2.2.12 with gcc 2.7.2.3, no patches applied SMP Intel Dual PII 450 with 394 megs RAM, SCSI HD's Apache compiled with PHP3 support >Description: Apache server will stop responding under what appears to be heavy load (25+ requests per second) but the interesting thing is that if tcp_syncookies are turned on the problem directly corresponds to a "kernel: possible SYN flooding on port 80. Sending cookies.". This might indicate some sort of SYN attack or other DoS.
Running Portsentry and other logging tools does not show any useful information as we receive to many requests from to many users and proxy servers to show who or what (if any) might be causing the attack if it is one. >How-To-Repeat: Problem is not repeatable on our end, and can happen multiple times a day, or not at all for a week or more >Fix: I have created a simple Shell Script (ala bash) that checks the status of the server every 10 seconds and restarts it if it stops responding. The source is available to others experiencing the same problem. >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, you need] [to include <[EMAIL PROTECTED]> in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]
