|
> but seriously - do you have any logs you can post to indicate why you
> think it is a DOS attack? here is where a nice dual proc box setup with
Snort
> comes in handy, maybe you have one already ;) ?
I think I got the worm thing licked. I hexedited the httpd binary to
annouce itself as "Patchy" instead of "Apache" . We started getting
hammered today, and apache kept on dying on me. Seems like it keeps on
spawning more and more children each time the worm tries it's expoit.
I think the reason we are getting hit so hard by this while others aren't is
each realserver only has one apache daemon running for all the VIPs coming
in, instead of one apache for each VIP. Thus when we get attacked, it hits
all the VIPs at once, in essence hitting us 54 times at the same time.
I found the code for the worm, and the first thing it does is send a bad
http request to check what server is running. If it's not Apache, it just
gives up right there. So I think my little fix should at least help with
that part.
Anyway, I know it's not an LVS thing, I just wanted to let you guys know
what I found. I hope all is quiet tonight.
On a different note, I just figured out your signature ratz. Thanks for the
laugh!
|
