From owner-freebsd-net@FreeBSD.ORG Thu Sep 14 15:13:53 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BDA316A492 for ; Thu, 14 Sep 2006 15:13:53 +0000 (UTC) (envelope-from wjw@withagen.nl) Received: from freebee.digiware.nl (www.tegenbosch28.nl [217.21.251.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id C980E43D46 for ; Thu, 14 Sep 2006 15:13:52 +0000 (GMT) (envelope-from wjw@withagen.nl) Received: from [212.61.27.67] (opteron.digiware.nl [212.61.27.67]) by freebee.digiware.nl (Postfix) with ESMTP id 9771C2AAAA for ; Thu, 14 Sep 2006 17:13:50 +0200 (CEST) Message-ID: <450971EF.3020209@withagen.nl> Date: Thu, 14 Sep 2006 17:14:55 +0200 From: Willem Jan Withagen User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4509592A.3040602@digiware.nl> <20060914144130.GB17002@in-addr.com> In-Reply-To: <20060914144130.GB17002@in-addr.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: blocking a string in a packet using ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Sep 2006 15:13:53 -0000 Gary Palmer wrote: > On Thu, Sep 14, 2006 at 03:29:14PM +0200, Willem Jan Withagen wrote: >> I received a call from a customer this morning that all of his websites were >> no longer on line. So After some resetting and more I turnout that there >> was a >> serious overload on his server. Over 500 clients connected. (norm is 50) and >> they were all trying to get this file 777.gif. (Which is not on any of the >> sites). > > Why not just create a 0 length file 777.gif and let people fetch it? Its > probably a lot less work for the server. I had several suggestions this direction. And it does help a little. The math is however against me. I had over 50 request/sec for this file. Now if the virus uses anything which leaves the connection open for regular timeout, and the server uses keepAlive. Then you are running into trouble because you soon run out of server slots. And even if you were to up with the standard apache settings for 15 secs, you have to set it at 750 serverslots. A serverslot takes about 13Mb virtual memory of which is about 8M resident. The machine has 512mb real memory, so after about 60 servers the machine starts to swap. Which works until about 100-150 serverslots (empirical prove). Now imagine what 500 would do, which is the initial setting for the number of MaxServers. The machine comes to a grinding halt. Which was what we also painfully found out. So solutions here are: either a very short keepalive timeout or no keepalive at all. Note that since this morning over 45.000 infected systems tried to access this server. --WjW