Date: Thu, 14 Sep 2006 11:34:34 -0400 From: Gary Palmer <gpalmer@freebsd.org> To: freebsd-net@freebsd.org Subject: Re: blocking a string in a packet using ipfw Message-ID: <20060914153434.GC17002@in-addr.com> In-Reply-To: <450971EF.3020209@withagen.nl> References: <4509592A.3040602@digiware.nl> <20060914144130.GB17002@in-addr.com> <450971EF.3020209@withagen.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 14, 2006 at 05:14:55PM +0200, Willem Jan Withagen wrote: > I had several suggestions this direction. And it does help a little. > The math is however against me. > > I had over 50 request/sec for this file. Now if the virus uses anything > which leaves the connection open for regular timeout, and the server uses > keepAlive. Then you are running into trouble because you soon run out of > server slots. And even if you were to up with the standard apache settings > for 15 secs, you have to set it at 750 serverslots. > > A serverslot takes about 13Mb virtual memory of which is about 8M resident. > The machine has 512mb real memory, so after about 60 servers the machine > starts to swap. Which works until about 100-150 serverslots (empirical > prove). > Now imagine what 500 would do, which is the initial setting for the number > of MaxServers. The machine comes to a grinding halt. Which was what we also > painfully found out. > > So solutions here are: > either a very short keepalive timeout > or no keepalive at all. > > Note that since this morning over 45.000 infected systems tried to access > this server. <puts on evil hat> Configure Apache to issue a HTTP 302 redirect to some big file on microsoft.com You might even be able to get them to download the Windows Defender thing to clean up their systems </puts on evil hat> You might still have to turn off keepalives :-(
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060914153434.GC17002>