On Feb 9, 2014, at 4:27 AM, Leon Rosenberg <rosenberg.l...@gmail.com> wrote:
> Hello,
>
> I think some things are mixed up here. Since you are behind a load
> balancer, its unlikely that you experience ping (icmp) DoS, at least that
> it goes through till your server.
> First, setup access logs in server.xml
>
> <!-- Access log processes all example. Documentation at:
> /docs/config/valve.html Note: The pattern used is equivalent to using
> pattern="common" -->
>
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs"
>
> prefix="localhost_access_log." suffix=".txt"
>
> pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b" />
>
> Note: usually, if the load balancer is configured properly, tomcat will see
> the IP of the original request. If not, it will be send in a header field
> (in example X-Forwarded-For). If your load balancer doesn't send a header
> field - change its configuration to send one, you will need it anyway.
+1 Get your access logs working properly.
One other option to do this would be to use a RemoteIpValve. This will take
the X-Forwarded-* information from your proxy and override the corresponding
request attributes. It’s a nice option because it fixes the request
information for both your application and the access logs.
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve
>
> Check that the page your loadbalancer uses to check whether tomcat behind
> is available doesn't create a new session (session=false if its a jsp,
> don't use request.getSession() if its a servlet).
+1 I see this happen a lot.
Beyond your load balancer, another possibility is that web crawlers are hitting
your application. These bots often do not track session cookies and a single
bot that crawls your site can create quite a few sessions. Here’s a link to a
article Mark Thomas wrote that describes the problem further.
http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve
You can usually tell if bots are the culprit by looking at the user agent
reported in the requests. Well behaved web crawlers will have a recognizable
user agent.
One way you can combat this is with Tomcat’s CrawlerSessionManagerValve. This
will prevent certain user agent’s from creating sessions. Here’s a link to the
docs.
http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Crawler_Session_Manager_Valve
Dan
>
> If that doesn't help, download and install moskito following this guide:
> http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/
>
> This will allow you to make charts of your sessions, you will see if there
> are any patterns in session increase/decrease, maybe also together with
> other values like users or requests.
>
> If you have multiple tomcats you can setup moskito-control and put all the
> sessions from all tomcats into one chart:
> http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/
>
> good luck.
>
> regards
>
> Leon.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam
> <kumarkm...@gmail.com>wrote:
>
>> Thanks for your reply. What happened actually was there was a sudden
>> increase in invalid sessions as I said before and we manually deleted those
>> sessions using the tomcat manager. And then it appeared to be normal. But
>> then it occurred three times in last two weeks. It' s a production
>> environment.
>> My question is not how to stop some thing so that it could stop the ping
>> requests but I would like to know what could be the cause for it and how
>> can I find the cause? Please help me.
>>
>> Thanks,
>> Kumar.
>>
>>
>> On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty <mgai...@hotmail.com> wrote:
>>
>>> DOS (Denial of Service) Attack
>>>
>>> one type is endless ping
>>>
>>> if someone is running a endless loop of ping attacks on your TC server
>>>
>>> you can disable ICMP on TC server
>>>
>>>
>> https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/
>>>
>>>
>>>
>>> DOC attack usually results in TROJ_MDROPPER.* on system
>>> NAV and McAfee can detect these malware attachments on Word Docs
>>>
>>>
>>>
>> http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/
>>>
>>>
>>> HTH
>>> Martin
>>>
>>>
>>>
>>>
>>>
>>>> Date: Sat, 8 Feb 2014 19:54:32 -0500
>>>> Subject: Re: sudden increase in tomcat sessions..?
>>>> From: kumarkm...@gmail.com
>>>> To: users@tomcat.apache.org
>>>>
>>>> Hi David,
>>>> Thanks for your reply. How can I verify that it is a DOC attack? which
>>>> log i should refer.please guide me.
>>>>
>>>> Thanks,
>>>> Kumar.
>>>>
>>>>
>>>> On Sat, Feb 8, 2014 at 7:42 PM, David Kerber <dcker...@verizon.net>
>>> wrote:
>>>>
>>>>> On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote:
>>>>>
>>>>>> Hi,
>>>>>> I 'm using tomcat version 6 and 7. One day there was a sudden
>> increase
>>>>>> in
>>>>>> number of sessions in both tomcats. And all the sessions had no
>>> username,
>>>>>> same lastaccessed time, same created time and the inactive time was
>>>>>> 00:00:00. It is not happening always but it happens some times on
>> some
>>>>>> day.
>>>>>> Can't predict. And We have set the idle timeout as -1 because we
>> have
>>> to.
>>>>>> When I try to dig the log. It showed that the load balancer IP was
>>> sending
>>>>>> many ping requests to our application. Can anybody tell why this is
>>>>>> happening and how can I find the cause?
>>>>>>
>>>>>
>>>>> DOS attack?
>>>>>
>>>>>
>>>>>
>>>>>> Thanks,
>>>>>> Kumar.
>>>>>>
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>>>
>>>>>
>>>
>>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
