Joe Rhett wrote:
The fact that there are at least 25 timeouts on the same address suggests that your claim that there is only one hit per vhost is inaccurate. Are you _sure_ it isn't just using up all the available children (btw, on any heavily loaded site I've ever had to deal with, I've set the timeout _much_ lower than 3 minutes!).Yes. Not 'blocked' -- TCP connects happen, but the server doesn't replySo, say you have a server which listens on both port 443 for SSL and 80 for HTTP, does access on port 80 get blocked at the same time as access on port 443 gets blocked.
for up to the Timeout period. It you telnet to it by hand during the
attack you can wait for 3 minutes and get the response.
FYI, in the ssl_error_log you get multiples of these:
[15/Dec/2002 13:23:18 28357] [error] SSL handshake failed (server synergy.isite.net:443, client 61.133.84.147) (OpenSSL library error follows)
[15/Dec/2002 13:23:18 28357] [error] OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol [Hint: speaking not SSL to HTTPS port!?]
Only 1 or sometimes 2 per site. In the main error log you get
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:18 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:19 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:21 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:21 2002] [info] [client 61.133.84.147] read request line timed out
[Sun Dec 15 13:23:21 2002] [info] [client 61.133.84.147] read request line timed out
Note that these servers are all very lightly loaded. They normally only
clear 3% utilization during backups. We had these exact same symptoms on a
server we had just put into production, which had only a single live
site (with no content yet!) on it. This isn't a blast-DoS, as the total requests are identical with the number of sites on each server plus normal traffic.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
