Tonight my James server wrote 222 times in 7 seconds, from 04:25:16 to
04:25:23, the following message to the connections.log file (this log file
is otherwise always empty):
11/02/03 04:25:16 ERROR connections: Exception executing client connection
runner: Could not create enough Components to service your request.
java.lang.Exception: Could not create enough Components to service your
request.
at org.apache.avalon.excalibur.pool.DefaultPool.get(DefaultPool.java:133)
at
org.apache.james.util.connection.ServerConnection.addClientConnectionRunner(
ServerConnection.java:213)
at
org.apache.james.util.connection.ServerConnection.run(ServerConnection.java:
297)
at
org.apache.avalon.excalibur.thread.impl.ExecutableRunnable.execute(Executabl
eRunnable.java:47)
at
org.apache.avalon.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:8
0)
During exactly the same time there were the following entries written to the
smtpserver.log file (linuxserv on 10.10.10.22 is our firewall server; all
connections from outside the company come always thru it):
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:16 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:18 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:20 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:21 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:21 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:22 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:22 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:22 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:23 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:23 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:23 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:23 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:24 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:24 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:24 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:25 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:25 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:25 INFO smtpserver: Connection from LINUXSERV (10.10.10.22)
11/02/03 04:25:25 ERROR smtpserver: AUTH method LOGIN failed
11/02/03 04:25:25 ERROR smtpserver: AUTH method LOGIN failed
There was no other entry in the other logfiles during the same period.
For completeness of information, yesterday I had changed the
<connections>
<idle-timeout>300000</idle-timeout>
<max-connections>30</max-connections>
</connections>
to
<connections>
<idle-timeout>300000</idle-timeout>
<max-connections>0</max-connections>
</connections>
just as an experiment.
What do you think about all this?
Looks like an attack, isn't it?
Couldn't it be a kind of denial of service attack that, if done during
normal hours, could stress the system? In such case what could be done to
avoid such damage?
Regards,
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
