On Feb 9, 2014, at 4:27 AM, Leon Rosenberg <rosenberg.l...@gmail.com> wrote:
> Hello, > > I think some things are mixed up here. Since you are behind a load > balancer, its unlikely that you experience ping (icmp) DoS, at least that > it goes through till your server. > First, setup access logs in server.xml > > <!-- Access log processes all example. Documentation at: > /docs/config/valve.html Note: The pattern used is equivalent to using > pattern="common" --> > > <Valve className="org.apache.catalina.valves.AccessLogValve" > directory="logs" > > prefix="localhost_access_log." suffix=".txt" > > pattern="%h %{X-Forwarded-For}i %l %u %t "%r" %s %b" /> > > Note: usually, if the load balancer is configured properly, tomcat will see > the IP of the original request. If not, it will be send in a header field > (in example X-Forwarded-For). If your load balancer doesn't send a header > field - change its configuration to send one, you will need it anyway. +1 Get your access logs working properly. One other option to do this would be to use a RemoteIpValve. This will take the X-Forwarded-* information from your proxy and override the corresponding request attributes. It’s a nice option because it fixes the request information for both your application and the access logs. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_IP_Valve > > Check that the page your loadbalancer uses to check whether tomcat behind > is available doesn't create a new session (session=false if its a jsp, > don't use request.getSession() if its a servlet). +1 I see this happen a lot. Beyond your load balancer, another possibility is that web crawlers are hitting your application. These bots often do not track session cookies and a single bot that crawls your site can create quite a few sessions. Here’s a link to a article Mark Thomas wrote that describes the problem further. http://www.tomcatexpert.com/blog/2011/05/18/crawler-session-manager-valve You can usually tell if bots are the culprit by looking at the user agent reported in the requests. Well behaved web crawlers will have a recognizable user agent. One way you can combat this is with Tomcat’s CrawlerSessionManagerValve. This will prevent certain user agent’s from creating sessions. Here’s a link to the docs. http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Crawler_Session_Manager_Valve Dan > > If that doesn't help, download and install moskito following this guide: > http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-1/ > > This will allow you to make charts of your sessions, you will see if there > are any patterns in session increase/decrease, maybe also together with > other values like users or requests. > > If you have multiple tomcats you can setup moskito-control and put all the > sessions from all tomcats into one chart: > http://blog.anotheria.net/msk/the-complete-moskito-integration-guide-step-6-moskito-control/ > > good luck. > > regards > > Leon. > > > > > > > > > > > > > > > > > > On Sun, Feb 9, 2014 at 6:22 AM, Kumar Muthuramalingam > <kumarkm...@gmail.com>wrote: > >> Thanks for your reply. What happened actually was there was a sudden >> increase in invalid sessions as I said before and we manually deleted those >> sessions using the tomcat manager. And then it appeared to be normal. But >> then it occurred three times in last two weeks. It' s a production >> environment. >> My question is not how to stop some thing so that it could stop the ping >> requests but I would like to know what could be the cause for it and how >> can I find the cause? Please help me. >> >> Thanks, >> Kumar. >> >> >> On Sat, Feb 8, 2014 at 9:01 PM, Martin Gainty <mgai...@hotmail.com> wrote: >> >>> DOS (Denial of Service) Attack >>> >>> one type is endless ping >>> >>> if someone is running a endless loop of ping attacks on your TC server >>> >>> you can disable ICMP on TC server >>> >>> >> https://www.serverintellect.com/support/windowsserversecurity/disable-icmp-requests/ >>> >>> >>> >>> DOC attack usually results in TROJ_MDROPPER.* on system >>> NAV and McAfee can detect these malware attachments on Word Docs >>> >>> >>> >> http://blog.trendmicro.com/trendlabs-security-intelligence/trojanized-doc-files-in-targeted-attack/ >>> >>> >>> HTH >>> Martin >>> >>> >>> >>> >>> >>>> Date: Sat, 8 Feb 2014 19:54:32 -0500 >>>> Subject: Re: sudden increase in tomcat sessions..? >>>> From: kumarkm...@gmail.com >>>> To: users@tomcat.apache.org >>>> >>>> Hi David, >>>> Thanks for your reply. How can I verify that it is a DOC attack? which >>>> log i should refer.please guide me. >>>> >>>> Thanks, >>>> Kumar. >>>> >>>> >>>> On Sat, Feb 8, 2014 at 7:42 PM, David Kerber <dcker...@verizon.net> >>> wrote: >>>> >>>>> On 2/8/2014 7:08 PM, Kumar Muthuramalingam wrote: >>>>> >>>>>> Hi, >>>>>> I 'm using tomcat version 6 and 7. One day there was a sudden >> increase >>>>>> in >>>>>> number of sessions in both tomcats. And all the sessions had no >>> username, >>>>>> same lastaccessed time, same created time and the inactive time was >>>>>> 00:00:00. It is not happening always but it happens some times on >> some >>>>>> day. >>>>>> Can't predict. And We have set the idle timeout as -1 because we >> have >>> to. >>>>>> When I try to dig the log. It showed that the load balancer IP was >>> sending >>>>>> many ping requests to our application. Can anybody tell why this is >>>>>> happening and how can I find the cause? >>>>>> >>>>> >>>>> DOS attack? >>>>> >>>>> >>>>> >>>>>> Thanks, >>>>>> Kumar. >>>>>> >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>>> >>> >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org