Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Apache 1.3 Server Hangs

0 views
Skip to first unread message

Joe

unread,
Sep 23, 2002, 12:40:15 PM9/23/02
to
I have been having an issue with Apache 1.3 hanginging over the last
week.

The server seems to hang when I get the following error in my error
log.

"Client sent HTTP/1.1 request without hostname (see RFC2616 14.23)"

When I look at RFC2616 it talks about this being an Incomplete Client
Request and that code 400 Bad request should be sent to the Client.

Why would this hang my server?

When this happends I can not stop or restart Apache, I have to reboot
the Sun Server.


Thanks
Joe

Joshua Slive

unread,
Sep 23, 2002, 12:52:57 PM9/23/02
to
Joe <jbri...@infomedics.com> wrote:
> "Client sent HTTP/1.1 request without hostname (see RFC2616 14.23)"

> When I look at RFC2616 it talks about this being an Incomplete Client
> Request and that code 400 Bad request should be sent to the Client.

> Why would this hang my server?

> When this happends I can not stop or restart Apache, I have to reboot
> the Sun Server.

There is NO WAY that apache should be able to hang your server to a
point where it needs to reboot. If that is happening, you have an OS
or hardware problem. At the absolute worst, you should be able to
kill the apache process with "kill -9".

What is the exact version of Apache that you are using? Older
versions have some possible DOS attacks. What modules are you
using? Try getting rid of as many modules as you can. In
particular, try getting rid of any invasive modules like mod_gzip
or mod_bandwidth.

--
Joshua Slive
ne...@slive.ca
Apache HTTP Server Users Mailing List: http://httpd.apache.org/userslist.html

Phil Eschallier

unread,
Sep 27, 2002, 1:30:03 PM9/27/02
to
"Joshua Slive" <ne...@slive.ca> wrote in message news:<amngt9$nhu$1...@nntp.itservices.ubc.ca>...

> Joe <jbri...@infomedics.com> wrote:
> > "Client sent HTTP/1.1 request without hostname (see RFC2616 14.23)"
>
> > When I look at RFC2616 it talks about this being an Incomplete Client
> > Request and that code 400 Bad request should be sent to the Client.
>
> > Why would this hang my server?
>
> > When this happends I can not stop or restart Apache, I have to reboot
> > the Sun Server.
>
> There is NO WAY that apache should be able to hang your server to a
> point where it needs to reboot. If that is happening, you have an OS
> or hardware problem. At the absolute worst, you should be able to
> kill the apache process with "kill -9".
>
> What is the exact version of Apache that you are using? Older
> versions have some possible DOS attacks. What modules are you
> using? Try getting rid of as many modules as you can. In
> particular, try getting rid of any invasive modules like mod_gzip
> or mod_bandwidth.

A bit more information from my perspective. Machines I manage are
being hit by this worm. We're patched and on Solaris / SPARC so we
should not be vulnarable to infection, but these requests tie of the
web server!!

When hit with these bad HTTP 1.1 requests, the connection appears to
remain stuck in the "R"ead state ... and eventually all Apache process
slots are filled and the web server no longer responds.

To remedy, I can stop the web server processes and re-start it. This
restores services. I also use IP routing to blackhole the offending
remote server.

It sure would be nice if Apache didn't hold the process in the Read
state after receiving such a malformed request.

... Phil

Gerry C.

unread,
Sep 30, 2002, 3:00:27 PM9/30/02
to
Phil:

I have seen similar behavior with patched Apache/mod_ssl (openssl
0.9.6g). Since the worm scans on port 80 with:
Get / HTTP/1.1

Your apache server replies with "request without hostname" error.
Then the worm starts hitting port 443 (SSL) with 20 or so connections
(you'll have to check ssl logs to see this), this is the part where
you would reach MaxClients very quickly. These SSL connections
eventually timeout:

[error] SSL handshake timed out

But depending on your configuration, waiting for all those SSL
connections to timeout can take a while. Raising MaxClients by about
20 might help, but your machine's load may spike when the worm makes
its connections.

So far, my solution has been to use a perl script (which I will be
happy to share once I remove my site specifics from it) to simply
monitor the Apache error log for the "request without hostname" error
and block the ip responsible from port 443 (using iptables).

This solution works well so far (past 4 days). Since it only blocks
SSL, users can still browse server on port 80 if they accidently got
blocked, meanwhile the worm is unable to use port 443 to make its 20+
connections. The problem with my method is that a few SSL connections
can still be established before the ip is blocked (ideally no SSL
connections would get made during the time between detection of the
error and blocking of the ip). I would like to issue the "iptables -A
INPUT -j DROP -s <ip_address>" command directly from the Apache
handler, but I am still looking for a way to do this.

Does any of this help Phil? Anyone know how I could issue the
iptables command directly from the Apache request Handler?

ph...@buxtech.com (Phil Eschallier) wrote in message news:<256aa009.02092...@posting.google.com>...


> "Joshua Slive" <ne...@slive.ca> wrote in message news:<amngt9$nhu$1...@nntp.itservices.ubc.ca>...
> > Joe <jbri...@infomedics.com> wrote:
> > > "Client sent HTTP/1.1 request without hostname (see RFC2616 14.23)"
>
> > > When I look at RFC2616 it talks about this being an Incomplete Client
> > > Request and that code 400 Bad request should be sent to the Client.
>
> > > Why would this hang my server?
>

It's not. Most likely it's the 20+ SSL connections that follow.

Jeremy K

unread,
Oct 1, 2002, 9:47:44 PM10/1/02
to
I have been having the exact same problems.

I don't know why this isn't being made more of, or why more people
aren't having the problems, or aren't noticing them.

I think it happens more if you have one apache process listening to a
bunch of IP addresses, the more IP address on the same network, the
more attacks coming in.

My solution was to hexedit httpd and change "Apache 1.3.X" to "Patchy
1.3.X" That way the worm doesn't think you are running apache and
just quits.

I don't know who to esculate this problem to, but someone needs to
know there is an issue to non-exploitable apaches.

geral...@yahoo.com (Gerry C.) wrote in message news:<1f702bf8.02093...@posting.google.com>...

Andy Barclay

unread,
Oct 15, 2002, 12:24:04 AM10/15/02
to
Just to add a datapoint to this discussion, my apache
server 2.0.36, on Solaris 2.8, was hanging too. I decided to update
apache to the latest version, 2.0.43, but this is still hanging.

As a last ditch effort, I have tried to add the following lines
to the httpd.conf:
-----------
# AWB - another attempt to keep apache from being DOS'd by slapper
ServerTokens ProductOnly
ServerSignature Off
-----------

There are some reports of this working, because slapper
just moves along if it can't establish that its talking to apache.

Of course, its just a matter of time before someone modifies the worm
to exploit this DOS.


jkus...@yahoo.com (Jeremy K) wrote in message news:<ed483a2f.02100...@posting.google.com>...

0 new messages