Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: mod_status SS values explanation |
|
| Author |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
 Posted: Wed 05 Mar '14 15:29 Post subject: mod_status SS values explanation |
 |
|
I had included mod_status to one of my Apache instance. In general this Apache instance is working very well, answering fast etc. In the other hand some of the information provided by this module are quite odd for me.
My first doubt is about SS values - isn't too much ? SS description - Seconds since beginning of most recent request - i see lot of more recent requests, so what exactly this value mean ? I thought this is the time counted from the moment when last request came to Apache, which should not be more than 0 seconds as this instance is under heavy-load all the time.
What is the NULL request ? I had a feeling that lot of the requests are just old, hanged, waiting and doing nothing more than occupying connection pool? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 07 Mar '14 17:40 Post subject: |
|
|
it just means that this slot / thread is idle since n seconds.
Even if you scroll down httpd.apache.org/server-status you can see a long idle time.
On my server it is is a little busy (~ 25%) even than there are some "264734 SS" values.
Unless every status under the "pid table" is a R or W your server could handle more requests (counts only for apache not the CPU from scripts etc or the harddrive usage) |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Tue 11 Mar '14 18:54 Post subject: |
|
|
| I had found a lot of connections in W state with SS over 800000 (approx 9 days). It looks like my Apache is vulnerable to Slow HTTP Dos attack. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 12 Mar '14 0:10 Post subject: |
|
|
Well if you are afraid of a slow dos attack, on apache haus site there is Mod Antiloris
and or use mod security rules
| Code: |
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'1234123456'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop, msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'1234123457'"
|
Maybe Steffen was already some other rules. |
|
| Back to top |
|
Qmpeltaty
Joined: 06 Feb 2008
Posts: 182
Location: Poland
|
| Posted: Wed 12 Mar '14 11:15 Post subject: |
|
|
I had stopped this Apache instance and started again - before stopping it i had 13500 (ThreadsPerChild 14500) busy workers with 85% in W state. After stopping it and starting again i can see 500-600 workers busy max, no W with high SS values anymore.
From the one hand i'm happy that no more request are hanging, but i'm confused about the conclusion - what was the reason of hanged connections ?
The positive aspect is, that hanged requests had been initialized from clients browsers for 100% - it was not dos attack. |
|
| Back to top |
|
|
|
|
|
|
