You should be able to track the machine by correlate the cache.log
timestamps with errors in access.log.
Best way to continue the analysis is to make a packet dump of the
requests from the offending client. Quite likely the client software
is broken (software bug or virus) and needs to be fixed.
From the request it seems it is a shockwave update agent that is
causing this problem.
Regards
Henrik
On Monday 26 August 2002 04.15, Wei Keong wrote:
> Hi Henrik,
>
> I've made the changes as mentioned and I got 24KB of 'y'.
>
> 2002/08/26 09:22:27| Request header is too large (24575 bytes)
> POST http://update.shockwave.com/svc/shockmachine/ HTTP/1.0
> Accept: , , Advanced Power Management supports, yyyyyyyyyy...
> 2002/08/26 09:22:27| Config 'request_header_max_size'= 20480 bytes
>
> any idea what's is this? dos?
> should i incease the request header and track the machine that sent
> the request?
> what's the sufficient request_header max size?
>
> Thanks,
> Wei Keong
>
> On Fri, 23 Aug 2002, Henrik Nordstrom wrote:
> > In src/client_side.c, try changing
> >
> > From:
> >
> > debug(33, 1) ("Request header is too large (%d
> > bytes)\n",
> > (int) conn->in.offset);
> >
> > To:
> >
> > debug(33, 1) ("Request header is too large (%d
> > bytes)\n%s\n",
> > (int) conn->in.offset, conn->in.buf);
> >
> >
> > Regards
> > Henrik
> >
> > Wei Keong wrote:
> > > Hi,
> > >
> > > Just want to have a better understanding on request header. My
> > > server seems to have a lot of 'request header too large' and I
> > > am wondering if there is anyway to confirm whether it's due to
> > > dos, buffer-overflow or bugs.
> > >
> > > Is there anyway to log the request header to investigate? I
> > > tried using log_mime_hdrs, but I cant tell much from it...
> > >
> > > 2002/08/23 10:41:34| Request header is too large (24575 bytes)
> > > 2002/08/23 10:41:34| Config 'request_header_max_size'= 20480
> > > bytes.
> > >
> > > # TAG: request_header_max_size (KB)
> > > # This specifies the maximum size for HTTP headers in a
> > > request. # Request headers are usually relatively small
> > > (about 512 bytes). # Placing a limit on the request
> > > header size will catch certain # bugs (for example with
> > > persistent connections) and possibly # buffer-overflow or
> > > denial-of-service attacks.
> > >
> > > Rgds,
> > > Wei Keong
Received on Mon Aug 26 2002 - 00:26:42 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:50 MST