Why is Apache creating so many internal dummy connections? CPU usage issues affecting server performance

Question

Trying to get on top of some CPU usage issues and investigate possible malicious activity. As part of this I am curious about lots of dummy connections in the Apache logs. What is the origin of these and why so many?

We run a number of PHP/MySQL web applications. I notice during a very high CPU spike (up to 100% usage) that top shows Apache creating loads of processes for www-data which I assume are hits on PHP scripts.

Are the dummy connections a symptom of the problem, or part of the cause? What other things can I look into?

/var/log/apache2/access.log

::1 - - [09/Dec/2019:14:42:32 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:33 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:34 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:35 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:36 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:37 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:38 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:39 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:40 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:46 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:53 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:54 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:55 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:57 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:58 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:42:59 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:00 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:01 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:02 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:03 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:04 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:05 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:06 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:12 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:13 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:14 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:15 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:16 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:17 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:22 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:23 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:27 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:34 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:38 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:39 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:40 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:41 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:42 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:43 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:44 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:45 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:46 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:47 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:48 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:49 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:50 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:51 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:52 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:53 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:43:57 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:44:00 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:44:03 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:44:04 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:44:05 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"
::1 - - [09/Dec/2019:14:44:06 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.4.37 (Ubuntu) OpenSSL/1.1.1a (internal dummy connection)"

score 1 · Accepted Answer · answered Dec 10 '19 at 12:12

From the Apache documentation:

When the Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections. To do this, it sends a simple HTTP request back to itself. This request will appear in the access_log file with the remote address set to the loop-back interface (typically 127.0.0.1 or ::1 if IPv6 is configured). If you log the User-Agent string (as in the combined log format), you will see the server signature followed by "(internal dummy connection)" on non-SSL servers. During certain periods you may see up to one such request for each httpd child process.

These requests are perfectly normal and you do not need to worry about them. They can simply be ignored.

You can use .htaccess by redirecting requests from the "internal dummy connection" to an empty file

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^.*internal dummy connection.*$ [NC]
RewriteRule ^/$ /empty.html [L]

Why is Apache creating so many internal dummy connections? CPU usage issues affecting server performance

1 Answers1