Hello, I think some things are mixed up here. Since you are behind a load balancer, its unlikely that you experience ping (icmp) DoS, at least that it goes through till your server. First, setup access logs in server.xml
<!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b" /> Note: usually, if the load balancer is configured properly, tomcat will see the IP of the original request. If not, it will be send in a header field (in example X-Forwarded-For). If your load balancer doesn't send a header field - change its configuration to send one, you will need it anyway. Check that the page your loadbalancer uses to check whether tomcat behind is available doesn't create a new session (session=false if its a jsp, don't use request.getSession() if its a servlet). If that doesn't help, download and install moskito following this guide: http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/ This will allow you to make charts of your sessions, you will see if there are any patterns in session increase/decrease, maybe also together with other values like users or requests. If you have multiple tomcats you can setup moskito-control and put all the sessions from all tomcats into one chart: http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/ good luck. regards Leon. On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam <kumarkm...@gmail.com>wrote: > Thanks for your reply. What happened actually was there was a sudden > increase in invalid sessions as I said before and we manually deleted those > sessions using the tomcat manager. And then it appeared to be normal. But > then it occurred three times in last two weeks. It' s a production > environment. > My question is not how to stop some thing so that it could stop the ping > requests but I would like to know what could be the cause for it and how > can I find the cause? Please help me. > > Thanks, > Kumar. > > > On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty <mgai...@hotmail.com> wrote: > > > DOS (Denial of Service) Attack > > > > one type is endless ping > > > > if someone is running a endless loop of ping attacks on your TC server > > > > you can disable ICMP on TC server > > > > > https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/ > > > > > > > > DOC attack usually results in TROJ_MDROPPER.* on system > > NAV and McAfee can detect these malware attachments on Word Docs > > > > > > > http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/ > > > > > > HTH > > Martin > > > > > > > > > > > > > Date: Sat, 8 Feb 2014 19:54:32 -0500 > > > Subject: Re: sudden increase in tomcat sessions..? > > > From: kumarkm...@gmail.com > > > To: users@tomcat.apache.org > > > > > > Hi David, > > > Thanks for your reply. How can I verify that it is a DOC attack? which > > > log i should refer.please guide me. > > > > > > Thanks, > > > Kumar. > > > > > > > > > On Sat, Feb 8, 2014 at 7:42 PM, David Kerber <dcker...@verizon.net> > > wrote: > > > > > > > On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote: > > > > > > > >> Hi, > > > >> I 'm using tomcat version 6 and 7. One day there was a sudden > increase > > > >> in > > > >> number of sessions in both tomcats. And all the sessions had no > > username, > > > >> same lastaccessed time, same created time and the inactive time was > > > >> 00:00:00. It is not happening always but it happens some times on > some > > > >> day. > > > >> Can't predict. And We have set the idle timeout as -1 because we > have > > to. > > > >> When I try to dig the log. It showed that the load balancer IP was > > sending > > > >> many ping requests to our application. Can anybody tell why this is > > > >> happening and how can I find the cause? > > > >> > > > > > > > > DOS attack? > > > > > > > > > > > > > > > >> Thanks, > > > >> Kumar. > > > >> > > > >> > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > > >