Possible DoS attack? and how to prevent?

[schilly]

Well our db server just went down for 4 mins due to max connections being hit. After looking at the processlist for the db it was all sleep threads. I get an email any time the db goes down with POST, GET, SESSION, SERVER info from PHP. After reviewing, someone from the same ip hit the same page on our web server 400+ times in 3mins. I'm assuming this is a DoS attack?

 

Is there any way I can know for sure? What should I look for?

 

How do I prevent this in the future?

 

Max idle time on the db right now is 3min. Should I decrease this to 30s?

 

Why did I receive all these sleep threads in the db? Was it because the attacker killed the HTTP connection before the server could respond?

 

 

Any help is greatly appreciated.

 

Thanks.

[corbin]

Hmm, albeit it a weak one, I do think it might be an attack of some kind.  It's either that or a very aggressive search crawler (google bot for example).

 

Is the page particularly resource intensive?  Because if I were going to attack a website and had little resources, my approach would be to find a very DB/memory heavy page and slam it.  If a page is rather resource intensive, a fairly modest computer/internet connection can flood a server.

 

Anyway, is it the exact URL or variations of it?  For example store.php over and over again, or store.php?page=1 then store.php?page=2...

 

Also, have you tried googling the IP address?  If it's a search bot, that will likely bring something up about it.

[steviewdr]

See: http://wiki.kartbuilding.net/index.php/Apache#mod_evasive

 

To prevent the db server from falling over, I suggest you limit the number of connections allowed from a mysql user. I limited mine to 10 simultaneous connections per user. This helped a LOT. In my case the db server didn't fall over, and after a few minutes sorted itself out.

I also suggest you look at what web pages are accessed and what mysql queries are been made. It could be the type of mysql query been made. Also did you see if there are any mysql slow queries? (assuming your using mysql).

 

-steve

[corbin]

Ooooo never seen mod_evasive before.  Cool.

[schilly]

Thanks for the replies.

 

IP: 208.53.157.241.  I don't see much about it other than it's in Illinois, US. It was the same URL the whole time.

 

I'll take a look at mod_evasive. Looks very interesting.

 

I'll check the slow query log but I don't think this is the issue. My main concern is all the sleep queries in MySQL. I think I'll limit the max idle time to 30s instead of 300s.

 

So if this person loads our page then kills the connection really fast before the page can finish loading would this leave the MySQL connection open for that page load? It seemed like for some reason connections we're getting closed.