blocking a string in a packet using ipfw
Willem Jan Withagen
wjw at withagen.nl
Thu Sep 14 08:13:53 PDT 2006
Gary Palmer wrote:
> On Thu, Sep 14, 2006 at 03:29:14PM +0200, Willem Jan Withagen wrote:
>> I received a call from a customer this morning that all of his websites were
>> no longer on line. So After some resetting and more I turnout that there
>> was a
>> serious overload on his server. Over 500 clients connected. (norm is 50) and
>> they were all trying to get this file 777.gif. (Which is not on any of the
>> sites).
>
> Why not just create a 0 length file 777.gif and let people fetch it? Its
> probably a lot less work for the server.
I had several suggestions this direction. And it does help a little.
The math is however against me.
I had over 50 request/sec for this file. Now if the virus uses anything which
leaves the connection open for regular timeout, and the server uses keepAlive.
Then you are running into trouble because you soon run out of server slots.
And even if you were to up with the standard apache settings for 15 secs, you
have to set it at 750 serverslots.
A serverslot takes about 13Mb virtual memory of which is about 8M resident.
The machine has 512mb real memory, so after about 60 servers the machine
starts to swap. Which works until about 100-150 serverslots (empirical prove).
Now imagine what 500 would do, which is the initial setting for the number of
MaxServers. The machine comes to a grinding halt. Which was what we also
painfully found out.
So solutions here are:
either a very short keepalive timeout
or no keepalive at all.
Note that since this morning over 45.000 infected systems tried to access this
server.
--WjW
More information about the freebsd-net
mailing list