From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 15:34:34 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E77DE16A403 for ; Thu, 14 Sep 2006 15:34:34 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (noop.in-addr.com [208.58.23.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CEE343D46 for ; Thu, 14 Sep 2006 15:34:34 +0000 (GMT) (envelope-from gpalmer@freebsd.org) Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD)) id 1GNtEY-000Pf5-3G for freebsd-net@freebsd.org; Thu, 14 Sep 2006 11:34:34 -0400 Date: Thu, 14 Sep 2006 11:34:34 -0400 From: Gary Palmer To: freebsd-net@freebsd.org Message-ID: <20060914153434.GC17002@in-addr.com> Mail-Followup-To: freebsd-net@freebsd.org References: <4509592A.3040602@digiware.nl> <20060914144130.GB17002@in-addr.com> <450971EF.3020209@withagen.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <450971EF.3020209@withagen.nl> Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 15:34:35 -0000 On Thu, Sep 14, 2006 at 05:14:55PM +0200, Willem Jan Withagen wrote: > I had several suggestions this direction. And it does help a little. > The math is however against me. > > I had over 50 request/sec for this file. Now if the virus uses anything > which leaves the connection open for regular timeout, and the server uses > keepAlive. Then you are running into trouble because you soon run out of > server slots. And even if you were to up with the standard apache settings > for 15 secs, you have to set it at 750 serverslots. > > A serverslot takes about 13Mb virtual memory of which is about 8M resident. > The machine has 512mb real memory, so after about 60 servers the machine > starts to swap. Which works until about 100-150 serverslots (empirical > prove). > Now imagine what 500 would do, which is the initial setting for the number > of MaxServers. The machine comes to a grinding halt. Which was what we also > painfully found out. > > So solutions here are: > either a very short keepalive timeout > or no keepalive at all. > > Note that since this morning over 45.000 infected systems tried to access > this server. Configure Apache to issue a HTTP 302 redirect to some big file on microsoft.com You might even be able to get them to download the Windows Defender thing to clean up their systems You might still have to turn off keepalives :-(