Date: Thu, 14 Sep 2006 17:14:55 +0200 From: Willem Jan Withagen <wjw@withagen.nl> To: freebsd-net@freebsd.org Subject: Re: blocking a string in a packet using ipfw Message-ID: <450971EF.3020209@withagen.nl> In-Reply-To: <20060914144130.GB17002@in-addr.com> References: <4509592A.3040602@digiware.nl> <20060914144130.GB17002@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary Palmer wrote: > On Thu, Sep 14, 2006 at 03:29:14PM +0200, Willem Jan Withagen wrote: >> I received a call from a customer this morning that all of his websites were >> no longer on line. So After some resetting and more I turnout that there >> was a >> serious overload on his server. Over 500 clients connected. (norm is 50) and >> they were all trying to get this file 777.gif. (Which is not on any of the >> sites). > > Why not just create a 0 length file 777.gif and let people fetch it? Its > probably a lot less work for the server. I had several suggestions this direction. And it does help a little. The math is however against me. I had over 50 request/sec for this file. Now if the virus uses anything which leaves the connection open for regular timeout, and the server uses keepAlive. Then you are running into trouble because you soon run out of server slots. And even if you were to up with the standard apache settings for 15 secs, you have to set it at 750 serverslots. A serverslot takes about 13Mb virtual memory of which is about 8M resident. The machine has 512mb real memory, so after about 60 servers the machine starts to swap. Which works until about 100-150 serverslots (empirical prove). Now imagine what 500 would do, which is the initial setting for the number of MaxServers. The machine comes to a grinding halt. Which was what we also painfully found out. So solutions here are: either a very short keepalive timeout or no keepalive at all. Note that since this morning over 45.000 infected systems tried to access this server. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?450971EF.3020209>