NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Handling of DOS attacks in NetBSD 5
Hi,
In the past, I have observed DOS attacks where a client connects to port 80
and then leaves the connection open indefinitely. Repeating the process can
easily tie up all available http processes.
I recently upgraded several servers to NetBSD 5 and I now observe a slightly
modified behavior, presumably because of the accept_filter(9) addtion to the
kernel. Instead of http process starvation, I now observe between one and two
hundred TCP connections that are in the "ESTABLISHED" state (as reported by
netstat -s). Once this happens, the server denies additional HTTP requests.
Here's a small fragment of a "netstat -an" output:
tcp 0 0 x.x.x.x.80 x.x.x.x.3225 ESTABLISHED
tcp 0 0 x.x.x.x.80 x.x.x.x.3220 ESTABLISHED
tcp 0 0 x.x.x.x.80 x.x.x.x.3219 ESTABLISHED
tcp 0 0 x.x.x.x.80 x.x.x.x.3211 ESTABLISHED
tcp 0 0 x.x.x.x.80 x.x.x.x.3205 ESTABLISHED
tcp 0 0 x.x.x.x.80 x.x.x.x.3200 ESTABLISHED
tcp 0 0 x.x.x.x.80 x.x.x.x.3196 ESTABLISHED
Is there a way to terminate such a bogus connection individually? I notice
that "apachectl restart" leaves them open, whereas "apachectl stop" clears
them.
How can I adjust the number of connections that the kernel allows? What is the
resource use per connection? I'm thinking that if I could increase the limit
by, say, a hundredfold, I could turn it into a nuisance rather than an
emergency.
Any other thoughts?
Thanks,
Sverre
Home |
Main Index |
Thread Index |
Old Index