Date: Tue, 18 May 1999 13:15:28 +0300 (EEST) From: "Andy V. Oleynik" <andyo@mail.prime.net.ua> To: Dan Langille <junkmale@xtra.co.nz> Cc: freebsd-security@FreeBSD.ORG Subject: Re: http attack(?) Message-ID: <Pine.BSF.3.96.990518130716.16577A-100000@mail.prime.net.ua> In-Reply-To: <19990518095202.EPCY7623210.mta2-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help
If U remember, there was a problem in sendmail up to 8.9.2 with msgheader length exploit (starting 5 sessions has catastrofically slowed system down). My guess is giving a request to HTTP like this "GET /vary.long.maybe.even.not.existent.URL..." could lead to this problem. But it maybe the question to apache.org. On Tue, 18 May 1999, Dan Langille wrote: > A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and > got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. > > I then tried a top 5. named and syslogd were busy. > > I looked at httpd.error and 21 of these spread over 14 seconds: > [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system > > Looking in the access logs for one of my virtual websites I found this. Bits have been snipped to save > repetition and conserve space. > > per.wave.orc.ru - - [15/May/1999:10:55:57 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:10:56:58 +1200] "-" 408 - > > [etc] > > per.wave.orc.ru - - [15/May/1999:16:42:21 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:42:49 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:45:30 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:46:19 +1200] "-" 408 - > > [at which point I guess httpd decided not to translate any more or named gave up] > > [this is also roughly the point at which I noticed the system was slowing] > > 212.48.133.22 - - [15/May/1999:16:55:35 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:55:40 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:55:59 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:56:05 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:56:47 +1200] "-" 408 - > > [etc] > > per.wave.orc.ru - - [15/May/1999:17:14:13 +1200] "-" 408 - > > [ends] > > I shortly thereafter started blocking this address at my firewall. A further 200 or so packets were > blocked. No further activity has been seen. Messages sent to various addresses at orc.ru have gone > unanswered. > > Is this a known attack? A browser gone mad? > > A remark on irc was that httpd was trying to consume more resources than the machine possessed. > -- > Dan Langille - DVL Software Limited > The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ > NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ > The Racing System - http://www.racingsystem.com/racingsystem.htm > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990518130716.16577A-100000>