[Building Sakai] Strange request pattern incidents in production

Mark Norton markjnorton at earthlink.net
Thu Dec 15 11:02:08 PST 2011 

Sure sounds like a DOS attack to me.

- Mark

On 12/15/2011 2:01 PM, Glenn R. Golden wrote:
> We have had two production "incidents" recently.  The symptoms are an 
> app server being slow, or the database heating up, or an app server 
> using an unusually large number of open files (which we monitor), or a 
> raft of bug report emails.  The problem persists for a few or 10s of 
> minutes, and is limited to only one of the app servers in the cluster 
> (one at a time).
>
> The real problem, though, after looking at the access logs for the 
> period, is a huge series of duplicate requests from a single user over 
> a short period of time.  In the first incident, we got 3000 requests 
> over 20 seconds.  In the second one, we got 1400 over 4 minutes.  In 
> each series, they are all the same request, to the same app server, 
> from the same user.  The requests look normal - one was a Melete list 
> request and one was a Mneme list request (these are two of our most 
> used tools).  It is the number of them that is the problem.
>
> Of course, Sakai will process all of these requests, even though the 
> browser has abandoned the connection.  The first one processes in 
> under a second.  By the time the last one is done, it has taken 100s 
> of seconds to process.
>
> This one user's barrage of requests slows down the app server, puts an 
> increased load on the database, and keeps an abnormally large number 
> of concurrent requests in Apache and Tomcat.  This increase in the 
> number of concurrent requests is what we see in the increased file 
> usage, as the Apache - Tomcat connector uses a unix "file" for each 
> connection.  In once case, it stressed the db connection pool on the 
> app server to the point that it stopped delivering connections (or the 
> clients all timed out waiting).
>
> Once the duplicate request series is done, and the requests are 
> processed, the app server quickly goes back to normal.
>
> I'm wondering: has anyone else seen anything like this?
>
> The browser in both of these cases was Chrome on Windows.
>
> - Glenn
>
> Glenn R. Golden
> Chief Architect, Etudes, Inc.
> ggolden at etudes.org <mailto:ggolden at etudes.org>
>
>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20111215/5a309279/attachment.html

More information about the sakai-dev mailing list