Apache Floods Hilfe

bombaldi

bombaldi

Grünschnabel
Mein Apache steht regelmaessig unter Angriffen, es handelt sich hierbei wohl nur um normale HTTP anfragen, allerdings in einer so hohen Menge das die Load auf +50 geht und alles stehen bleibt.

Hier mal einige Auszuege waerend eines solchen Angriff

top - 14:59:12 up 14 days, 21:09, 3 users, load average: 41.71, 9.24, 4.57
Tasks: 110 total, 46 running, 63 sleeping, 0 stopped, 1 zombie
Cpu(s): 92.1%us, 5.9%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 2.0%si, 0.0%st
Mem: 500668k total, 470064k used, 30604k free, 21972k buffers
Swap: 1461872k total, 99404k used, 1362468k free, 166912k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1721 www-data 16 0 32596 18m 3536 R 19.8 3.7 0:29.60 apache2
545 www-data 16 0 29668 15m 3312 R 9.9 3.1 0:09.96 apache2
2868 www-data 16 0 28388 13m 3528 R 6.9 2.9 0:32.06 apache2
3282 www-data 15 0 25976 11m 3468 S 6.9 2.4 0:08.25 apache2
4777 www-data 15 0 27756 13m 3300 R 6.9 2.7 0:06.46 apache2
27477 www-data 16 0 27856 13m 3312 R 5.9 2.7 0:14.68 apache2
3741 www-data 16 0 32388 18m 3672 R 4.9 3.7 1:40.12 apache2
4781 www-data 16 0 32204 17m 3300 R 4.9 3.6 0:04.34 apache2
29442 www-data 16 0 25772 11m 3984 R 4.0 2.4 1:05.73 apache2
30135 www-data 16 0 31552 17m 3760 R 4.0 3.6 0:12.91 apache2
544 www-data 16 0 32292 17m 3356 R 4.0 3.6 0:07.14 apache2
3286 www-data 16 0 32240 17m 3312 R 4.0 3.6 0:06.05 apache2
4782 www-data 16 0 28308 13m 3304 R 4.0 2.8 0:06.35 apache2
6204 www-data 16 0 31964 17m 3136 R 4.0 3.5 0:04.03 apache2
6205 www-data 16 0 32420 17m 3136 R 4.0 3.6 0:04.15 apache2
27949 www-data 15 0 26040 11m 3312 S 3.0 2.4 0:12.83 apache2
29452 www-data 16 0 25688 11m 3520 R 2.0 2.3 0:59.99 apache2


Server Version: Apache/2.2.3 (Debian) PHP/5.2.5
Server Built: Jun 17 2007 20:24:06
_____________________________________________________________________________________________________________________________________________

Current Time: Thursday, 17-Apr-2008 23:40:52 CEST
Restart Time: Thursday, 17-Apr-2008 22:47:54 CEST
Parent Server Generation: 0
Server uptime: 52 minutes 57 seconds
Total accesses: 14333 - Total Traffic: 112.7 MB
CPU Usage: u392.2 s46.04 cu.07 cs0 - 13.8% CPU load
4.51 requests/sec - 36.3 kB/second - 8.0 kB/request
53 requests currently being processed, 0 idle workers

WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWSW.W.WWW........
................................................................
................................................................
................................................................
............................................

Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot with no current process

Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-0 2976 0/4/359 W 0.92 5 0 0.0 0.00 2.77 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=15479 HTTP/1.0
1-0 32243 0/74/336 W 5.65 2 0 0.0 0.81 2.46 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=2536 HTTP/1.0
2-0 32690 0/71/320 W 5.13 10 0 0.0 0.49 2.76 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=17150 HTTP/1.0
3-0 23619 0/363/363 W 6.91 6 0 0.0 3.32 3.32 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=9416 HTTP/1.0
4-0 2977 0/4/277 W 0.94 4 0 0.0 0.00 3.34 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=6727 HTTP/1.0
5-0 693 0/99/342 W 2.70 5 0 0.0 0.51 2.30 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=4879 HTTP/1.0
6-0 23622 0/353/353 W 22.45 1 0 0.0 2.55 2.55 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=6376 HTTP/1.0
7-0 23623 0/408/408 W 13.56 4 0 0.0 2.46 2.46 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=12492 HTTP/1.0
8-0 2728 0/22/296 W 1.13 1 0 0.0 0.07 2.79 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=8517 HTTP/1.0
9-0 23625 0/206/206 W 8.52 31 0 0.0 2.60 2.60 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=17321 HTTP/1.0
10-0 2733 0/6/268 W 1.04 28 0 0.0 0.01 1.57 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=9707 HTTP/1.0
11-0 30888 0/106/337 W 6.77 1 0 0.0 0.50 2.71 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=18717 HTTP/1.0
12-0 23628 0/432/432 W 18.56 35 0 0.0 3.50 3.50 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=12264 HTTP/1.0
13-0 2734 0/5/240 W 0.57 33 0 0.0 0.04 1.59 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=9931 HTTP/1.0
14-0 23630 0/440/440 W 16.51 32 0 0.0 3.83 3.83 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=5734 HTTP/1.0
15-0 2741 0/24/245 W 1.28 3 0 0.0 0.14 1.72 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=14250 HTTP/1.0
16-0 30889 0/183/409 W 12.80 27 0 0.0 1.18 2.56 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=8032 HTTP/1.0
17-0 23633 0/333/333 W 12.85 3 0 0.0 3.09 3.09 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=7173 HTTP/1.0
18-0 30890 0/113/331 W 3.76 1 0 0.0 0.82 3.15 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=7630 HTTP/1.0
19-0 30891 0/152/345 W 15.47 0 0 0.0 1.12 3.20 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=10385 HTTP/1.0
20-0 2978 0/0/302 W 0.00 31 0 0.0 0.00 1.71 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=15114 HTTP/1.0
21-0 2743 0/5/309 W 0.79 9 0 0.0 0.05 2.13 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=19889 HTTP/1.0
22-0 23853 0/361/361 W 15.13 3 0 0.0 2.59 2.59 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=2875 HTTP/1.0
23-0 23854 0/360/360 W 21.04 2 0 0.0 2.58 2.58 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=14342 HTTP/1.0
24-0 2744 0/6/296 W 0.97 1 0 0.0 0.02 2.01 91.6.50.128 hosted-by.leaseweb.com GET http://85.17.15.39/blog/?page_id=1934 HTTP/1.0
25-0 23856 0/357/357 W 16.04 34 0 0.0 2.81 2.81 84.61.137.156 hosted-by.leaseweb.com GET


Was empfehlt ihr mir in dieser Situation?
 
Die betreffenden IPs, die die Flood verursachen einfach via iptables aussperren.
 
Oder auch ein IDS verwenden, was dir das automatisch macht.
 
Erst die oben genannten Vorschläge abarbeiten.

Dann eine E-Mail an abuse@provider (leaseweb.com?) schicken, mit den Logs und eine der "Bitte" dem doch mal nachzugehen. ;-)
 

Ähnliche Themen

load avarage permanent 10

Debian Routing Problem

Rollei Mini Wifi Camcorder

Größere Dateien auf Webserver laden mittels Jumpload und AjaXplorer schlägt fehl - SE

Displayport + externer Monitor zeigt bei startx nichts erst bei DVI

Zurück
Oben