Hello,
I think some things are mixed up here. Since you are behind a load
balancer, its unlikely that you experience ping (icmp) DoS, at least that
it goes through till your server.
First, setup access logs in server.xml
<!-- Access log processes all example. Documentation at:
/docs/config/valve.html Note: The pattern used is equivalent to using
pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b" />
Note: usually, if the load balancer is configured properly, tomcat will see
the IP of the original request. If not, it will be send in a header field
(in example X-Forwarded-For). If your load balancer doesn't send a header
field - change its configuration to send one, you will need it anyway.
Check that the page your loadbalancer uses to check whether tomcat behind
is available doesn't create a new session (session=false if its a jsp,
don't use request.getSession() if its a servlet).
If that doesn't help, download and install moskito following this guide:
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/
This will allow you to make charts of your sessions, you will see if there
are any patterns in session increase/decrease, maybe also together with
other values like users or requests.
If you have multiple tomcats you can setup moskito-control and put all the
sessions from all tomcats into one chart:
http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/
good luck.
regards
Leon.
On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam
<kumarkm...@gmail.com>wrote:
> Thanks for your reply. What happened actually was there was a sudden
> increase in invalid sessions as I said before and we manually deleted those
> sessions using the tomcat manager. And then it appeared to be normal. But
> then it occurred three times in last two weeks. It' s a production
> environment.
> My question is not how to stop some thing so that it could stop the ping
> requests but I would like to know what could be the cause for it and how
> can I find the cause? Please help me.
>
> Thanks,
> Kumar.
>
>
> On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty <mgai...@hotmail.com> wrote:
>
> > DOS (Denial of Service) Attack
> >
> > one type is endless ping
> >
> > if someone is running a endless loop of ping attacks on your TC server
> >
> > you can disable ICMP on TC server
> >
> >
> https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/
> >
> >
> >
> > DOC attack usually results in TROJ_MDROPPER.* on system
> > NAV and McAfee can detect these malware attachments on Word Docs
> >
> >
> >
> http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/
> >
> >
> > HTH
> > Martin
> >
> >
> >
> >
> >
> > > Date: Sat, 8 Feb 2014 19:54:32 -0500
> > > Subject: Re: sudden increase in tomcat sessions..?
> > > From: kumarkm...@gmail.com
> > > To: users@tomcat.apache.org
> > >
> > > Hi David,
> > > Thanks for your reply. How can I verify that it is a DOC attack? which
> > > log i should refer.please guide me.
> > >
> > > Thanks,
> > > Kumar.
> > >
> > >
> > > On Sat, Feb 8, 2014 at 7:42 PM, David Kerber <dcker...@verizon.net>
> > wrote:
> > >
> > > > On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote:
> > > >
> > > >> Hi,
> > > >> I 'm using tomcat version 6 and 7. One day there was a sudden
> increase
> > > >> in
> > > >> number of sessions in both tomcats. And all the sessions had no
> > username,
> > > >> same lastaccessed time, same created time and the inactive time was
> > > >> 00:00:00. It is not happening always but it happens some times on
> some
> > > >> day.
> > > >> Can't predict. And We have set the idle timeout as -1 because we
> have
> > to.
> > > >> When I try to dig the log. It showed that the load balancer IP was
> > sending
> > > >> many ping requests to our application. Can anybody tell why this is
> > > >> happening and how can I find the cause?
> > > >>
> > > >
> > > > DOS attack?
> > > >
> > > >
> > > >
> > > >> Thanks,
> > > >> Kumar.
> > > >>
> > > >>
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >
> > > >
> >
> >
>
