From owner-freebsd-security Tue May 18 3:15:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.prime.net.ua (mail.prime.net.ua [195.64.229.2]) by hub.freebsd.org (Postfix) with ESMTP id 539F414CFF for ; Tue, 18 May 1999 03:15:49 -0700 (PDT) (envelope-from andyo@mail.prime.net.ua) Received: from localhost (andyo@localhost) by mail.prime.net.ua (8.9.3/8.9.3) with SMTP id NAA16998; Tue, 18 May 1999 13:15:29 +0300 (EEST) Date: Tue, 18 May 1999 13:15:28 +0300 (EEST) From: "Andy V. Oleynik" To: Dan Langille Cc: freebsd-security@FreeBSD.ORG Subject: Re: http attack(?) In-Reply-To: <19990518095202.EPCY7623210.mta2-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If U remember, there was a problem in sendmail up to 8.9.2 with msgheader length exploit (starting 5 sessions has catastrofically slowed system down). My guess is giving a request to HTTP like this "GET /vary.long.maybe.even.not.existent.URL..." could lead to this problem. But it maybe the question to apache.org. On Tue, 18 May 1999, Dan Langille wrote: > A few days ago, I noticed my machine was running extremely slowly. I did a top 10 at the console and > got "too many open files". Existing telnet sessions were non-responsive. New telnets would not start. > > I then tried a top 5. named and syslogd were busy. > > I looked at httpd.error and 21 of these spread over 14 seconds: > [Sat May 15 16:45:34 1999] accept: (client socket): Too many open files in system > > Looking in the access logs for one of my virtual websites I found this. Bits have been snipped to save > repetition and conserve space. > > per.wave.orc.ru - - [15/May/1999:10:55:57 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:10:56:58 +1200] "-" 408 - > > [etc] > > per.wave.orc.ru - - [15/May/1999:16:42:21 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:42:49 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:45:30 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:46:19 +1200] "-" 408 - > > [at which point I guess httpd decided not to translate any more or named gave up] > > [this is also roughly the point at which I noticed the system was slowing] > > 212.48.133.22 - - [15/May/1999:16:55:35 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:55:40 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:47 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:55:48 +1200] "-" 408 - > 212.48.133.22 - - [15/May/1999:16:55:59 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:56:05 +1200] "-" 408 - > per.wave.orc.ru - - [15/May/1999:16:56:47 +1200] "-" 408 - > > [etc] > > per.wave.orc.ru - - [15/May/1999:17:14:13 +1200] "-" 408 - > > [ends] > > I shortly thereafter started blocking this address at my firewall. A further 200 or so packets were > blocked. No further activity has been seen. Messages sent to various addresses at orc.ru have gone > unanswered. > > Is this a known attack? A browser gone mad? > > A remark on irc was that httpd was trying to consume more resources than the machine possessed. > -- > Dan Langille - DVL Software Limited > The FreeBSD Diary - http://www.FreeBSDDiary.org/freebsd/ > NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/ > The Racing System - http://www.racingsystem.com/racingsystem.htm > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message