0

We are having an issue at one of our customer sites where Tripwire is flagging events when more than 1000 HTTP connections are being individually created from different IP addresses within a span of one minute. We have turned on keep-alive( 10 secs) on our web server (Apache on Linux). We did some network capturing and noticed that while the keep-alive timeout is being honored, it may still be creating multiple connections for the requests.

enter image description here

Does anyone know why all these HTTP connections are being created? Any help will be appreciated.

EDITED: To avoid confusion

Community
  • 1
Porter Leblanc
  • 1
  • 2
  • 2
    Talk with whomever is making the requests. If it's degrading performance, just block that IP. – EEAA May 20 '15 at 02:50
  • if you want to ban him, you may use fail2ban and enable apache monitoring. TCP keepalive has nothing to do with mitigating new HTTP connections, why do you think this is a TCP issue?. – sivann May 20 '15 at 07:22
  • Sorry, what I meant to say is different IPs are individually creating 1000+ connections within a span of a minute. I edited the original question to reflect that. – Porter Leblanc May 20 '15 at 12:28

1 Answers1

0

without asking the originator of the requests its hard to 'guess' why they are being created, it could be a deliberate attack or the person might not be aware their system is making the requests.

As you're on Linux just add a block on the IP via iptables using the following:

iptables -A INPUT -s x.x.x.x -j DROP

Where x.x.x.x is the IP address of the user making the requests

twigg
  • 154
  • 1
  • 4
  • Sorry, what I meant to say is different IPs are individually creating 1000+ connections within a span of a minute. I edited the original question to reflect that. – Porter Leblanc May 20 '15 at 12:29