Here's the official response: The customer refers to a cfserver.log logfile which doesn't exist. I do see the stack traces he refers to in \cfusionmx\runtime\logs\default-event.log (JRun log file). When holding down F5, it grows at a rate of 300 kilobytes per minute. It grows at a slower rate when debugging is turned off (smaller stack trace).
I don't view this as a DoS attack for three reasons: 1) the log growth rate isn't so fast as to cause a resource problem 2) JRun automatically rolls over those log files for you when they get around 100K 3) I can't get the server to actually crash. I did notice, with debugging on (as the customer appears to have), that it does take a lot longer for the server to recover after you nail it with so many concurrent requests. My recommendation to the customer would be to a) limit debugging by IP Address in the CF Admin b) tune the JRun throttle so that threads stuck in the queue for a while get timed-out earlier. This is modified in jrun.xml: <attribute name="threadWaitTimeout">300</attribute>. The default value of 300 seconds could be limited to 20 seconds or less. > -----Original Message----- > From: Andrew Whalley [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 20, 2002 8:46 AM > To: CF-Linux > Subject: RE: DoS attack circumvention > > > Hello > > yep, on Linux! thanks very much indeed for the quick reply. > Ok, so I understand it's normal for there to be a large > number of children by default, but maybe I wasn't very good > at stating my original problem. > > my clients (running IE 5 & 6) are on the same LAN as the > server running CFMX/Linux. If they go to a cold fusion page > on that server and hold down F5 for about 5-10 seconds, cold > fusion dies on the server - as in any CF page will take an > infinite amount of time load (only tested values of infinity > up to hour, though) > > Cfserver.log fills up rapidly with: > > " > 08/20 14:03:15 error Error while reading header SESSION > java.io.IOException: Broken pipe > at java.net.SocketOutputStream.socketWrite(Native Method) > at java.net.SocketOutputStream.write(SocketOutputStream.java:91) > at > java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:67) > at > java.io.BufferedOutputStream.flush(BufferedOutputStream.java:125) > at > jrun.servlet.jrpp.ProxyEndpoint.getHeader(ProxyEndpoint.java:687) > at > javax.servlet.http.HttpServletRequestWrapper.getHeader(HttpSer > vletReques > tWrapper.java:124) > at > javax.servlet.http.HttpServletRequestWrapper.getHeader(HttpSer > vletReques > tWrapper.java:124) > at coldfusion.runtime.CgiScope.resolve(Unknown Source) > at coldfusion.runtime.CgiScope.containsName(Unknown Source) > at coldfusion.runtime.CgiScope.search(Unknown Source) > at coldfusion.runtime.NeoPageContext.searchScopes(Unknown > Source) > at coldfusion.runtime.CfJspPage._get(Unknown Source) > at coldfusion.runtime.CFPage.isDefinedCanonicalVariable(Unknown > Source) > at > cfclassic2ecfm1738071574._factor5(/usr/local/coldfusionmx/wwwr > oot/WEB-IN > F/debug/classic.cfm:610) > at > cfclassic2ecfm1738071574._factor6(/usr/local/coldfusionmx/wwwr > oot/WEB-IN > F/debug/classic.cfm:430) > at > cfclassic2ecfm1738071574._factor7(/usr/local/coldfusionmx/wwwr > oot/WEB-IN > F/debug/classic.cfm:640) > at > cfclassic2ecfm1738071574.runPage(/usr/local/coldfusionmx/wwwro > ot/WEB-INF > /debug/classic.cfm:724) > at coldfusion.runtime.CfJspPage.invoke(Unknown Source) > at coldfusion.tagext.lang.IncludeTag.doStartTag(Unknown Source) > at coldfusion.filter.CfincludeFilter.invoke(Unknown Source) > at coldfusion.filter.CfincludeFilter.include(Unknown Source) > at coldfusion.filter.BrowserDebugFilter.invoke(Unknown Source) > at coldfusion.filter.ClientScopePersistenceFilter.invoke(Unknown > Source) > at coldfusion.filter.BrowserFilter.invoke(Unknown Source) > at coldfusion.filter.GlobalsFilter.invoke(Unknown Source) > at coldfusion.filter.DatasourceFilter.invoke(Unknown Source) > at coldfusion.CfmServlet.service(Unknown Source) > at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) > at > jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) > at > jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatche > r.java:241 > ) > at > jrun.servlet.ServletEngineService.dispatch(ServletEngineServic > e.java:527 > ) > at > jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxySer > vice.java: > 198) > at > jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(Th > readPool.j > ava:348) > at > jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(Threa > dPool.java > :451) > at > jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(Thre > adPool.jav > a:294) > at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) > " > > The borken pipe would suggest to me that IE is closing the > connection before it has finished it's request and starts a > new one at the speed of the repeat rate of the F5 key. I > know this is an unusual condition, but I > don't like the idea of the server being able to be DoSed so easily. > > andrew > > -----Original Message----- > From: Jesse Noller [mailto:[EMAIL PROTECTED]] > Sent: 20 August 2002 13:35 > To: CF-Linux > Subject: RE: DoS attack circumvention > > > On linux, right? > > Welcome to the wonderful world of Linux "threading" Linux > does not have threading itself, instead, it has threading > "emulation". This means that a parent and children threads > display as single processes instead of thread -> child (as on > solaris). > > What you are seeing is normal, it's Java starting the parent > and forking the children. This is not a DoS attack. > > Jesse Noller > [EMAIL PROTECTED] > Macromedia Server Development > Unix/Linux "special guy" > > > -----Original Message----- > > From: Andrew Whalley [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, August 20, 2002 5:04 AM > > To: CF-Linux > > Subject: DoS attack circumvention > > > > Hello > > > > I've got CFMX running with apache 1.3.26 and everything seems to be > > running fine. > > > > however I notice that by default there seem to be ~40 cfusion > processes > > spawned. > > If I go to even a fairly basic cold fusion page being run from that > > server and keep F5 (refresh) held down, the number of > processes shoots > > up and even though my > > server load is still fairly low and there is memory free, > cold fusion > > hangs and does > > not serve any pages for a few seconds or sometimes ever again, if F5 > is > > kept down > > for long enough. > > > > I've tried playing with the settings of "Limit simultaneous requests > to" > > and "Timeout Requests after ( seconds )" in CFAdministrator and all > the > > apache > > children settings to no avail. > > > > The server itself is beefy, 2x 933 PIII & 512 MB Ram > > > > anybody any ideas or come across this before? It's not a > problem with > > the database server being a bottle neck, checked that - and > the same > > CF page does > not > > experience > > the same thing under windows 2k/CF5.5. > > > > thanks very much indeed > > > > andy > > > > ______________________________________________________________________ Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm ------------------------------------------------------------------------------ Archives: http://www.mail-archive.com/cf-linux%40houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_linux or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
