|
I think I got the worm thing licked. I hexedited the httpd binary to
annouce itself as "Patchy" instead of "Apache" . We started getting
:) Pretty sick but effective for 98% of the stupid worms.
hammered today, and apache kept on dying on me. Seems like it keeps on
spawning more and more children each time the worm tries it's expoit.
Set a hard limit of allowed forks then.
I think the reason we are getting hit so hard by this while others aren't is
each realserver only has one apache daemon running for all the VIPs coming
in, instead of one apache for each VIP. Thus when we get attacked, it hits
all the VIPs at once, in essence hitting us 54 times at the same time.
Set the maximum of forked processes to a lower count. Since you've
parallelised the whole website by using LVS you need to adjust the
forking parameters in httpd.conf and divide them by at least the amount
of RS.
I found the code for the worm, and the first thing it does is send a bad
http request to check what server is running. If it's not Apache, it just
gives up right there. So I think my little fix should at least help with
that part.
Yes.
Anyway, I know it's not an LVS thing, I just wanted to let you guys know
what I found. I hope all is quiet tonight.
Come to think about it ... even with the /32 you need the proc-fs tuning
because you still address more than 1024 potential neighbours.
On a different note, I just figured out your signature ratz. Thanks for the
laugh!
You're welcome. Best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc
| 