Flooded with apache2 processes

Question

It seems that I've being flooded with requests to my websites, which is very strange, I only use my server for private use, I can only assume that who ever is doing this has a bad motive.

This is happening on an Ubuntu server. Things so bad that the server eventually blocks access to SSH.

Below is a log of this

www-data  2417  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2418  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2419  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2422  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2424  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2425  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2426  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2427  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2428  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2433  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2435  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2436  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2442  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2443  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2444  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2445  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2448  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2451  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2452  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2454  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2456  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2457  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2458  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2459  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2460  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2462  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2463  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2464  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2465  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2468  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2471  2129  0 17:32 ?        00:00:00 /usr/sbin/apache2 -k start
postfix   2476  2000  0 17:32 ?        00:00:00 anvil -l -t unix -u -c
www-data  2480  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2481  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2482  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2484  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2485  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2486  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2489  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2491  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2497  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2498  2129  0 17:33 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2502  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2503  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2504  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2505  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2507  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2508  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2509  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2510  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2511  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2512  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2514  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2515  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2516  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2517  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2518  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2519  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2520  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2521  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2522  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2523  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2524  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2525  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2526  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2527  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2528  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2529  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2530  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2531  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2532  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2534  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2535  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2536  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2537  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2538  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2539  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2541  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2542  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2543  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2544  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2545  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2546  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2547  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2548  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2549  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2550  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2551  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2552  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2553  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2554  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2555  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2556  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2557  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start
www-data  2558  2129  0 17:34 ?        00:00:00 /usr/sbin/apache2 -k start

There are only three webpages I need access to, is there a way of limiting access to these three pages? or blocking http requests temporarily.

You host a web server and you are wondering what all the connections are? They are robots or web scanners. The Internet is full of them. I'm more curious as to why apache is spawning so much to handle the requests. I think you have more of a config issue than a 'bad motive' issue. — schroeder, Dec 04 '16 at 17:48

score 1 · Answer 1 · answered Feb 03 '17 at 05:23

is your apache up to date? if not, it might be something like:

The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges

http://www.cvedetails.com/cve/cve-2011-3192

it forces apache to start new processes, they never finish, system slows down and finally stops.

score 0 · Answer 2 · answered Dec 04 '16 at 23:44

I agree with the comment. It looks like your Apache server is misconfigured.

Some things that might also help, though these don't directly answer your original question.

If you are only delivering 3 pages on a server with limited resources, Apache is a poor choice because of it's resource usage. NGINX or one of the other web servers would serve you a lot better.
If the pages you are serving are pretty static, use the free tier of Cloudflare to front your server and use the servers firewall to block all access except from the Cloudflare servers. Cloudflare will block a number of attacks and will serve the cached pages directly, both would help here.
You are showing us the wrong logs because the ones that count are the server logs that show where the connections are coming from. If there are any kinds of patterns to the attacks, you can use something like fail2ban to weed some of them out. For example, you can limit the number of hits from any specific IP address, if the limit (say 2 hits per second for example), then ban the IP.

Flooded with apache2 processes

2 Answers2