1. 首頁
  2. 問答
  3. 數百個CLOSE_WAIT連接正在蠶食我的ThreadPools

數百個CLOSE_WAIT連接正在蠶食我的ThreadPools

2013-02-13 18 views
2

我們有一個非常殘酷的情況。我們在德國的網站是一家網上商店。每天多次,我們在CLOSE_WAIT狀態下有大量的連接,它們出現在同一個ip的netstat中。這是不同的知識產權,但他們都在中國。 我們確實有中國客戶。 檢查訪問日誌,我們看到來自問題中ip的流量來自一個瀏覽器(useragent,會話ID),但它看起來並不像實際流量,例如連續請求/ 500次,而沒有請求css,js,它後面的圖像。 那麼我們最終是,如1000個線程socketWrite0,從820將被捆綁到同一個IP:數百個CLOSE_WAIT連接正在蠶食我的ThreadPools

"http--0.0.0.0-8443-1201" daemon prio=10 tid=0x00007f7435257800 nid=0x5361 runnable [0x00007f73e162a000] 
    java.lang.Thread.State: RUNNABLE 
    at java.net.SocketOutputStream.socketWrite0(Native Method) 
    at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109) 
    at java.net.SocketOutputStream.write(SocketOutputStream.java:153) 
    at org.apache.coyote.http11.InternalOutputBuffer.realWriteBytes(InternalOutputBuffer.java:724) 
    at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:449) 
    at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:349) 
    at org.apache.coyote.http11.InternalOutputBuffer$OutputStreamOutputBuffer.doWrite(InternalOutputBuffer.java:748) 
    at org.apache.coyote.http11.filters.ChunkedOutputFilter.doWrite(ChunkedOutputFilter.java:126) 
    at org.apache.coyote.http11.InternalOutputBuffer.doWrite(InternalOutputBuffer.java:559) 
    at org.apache.coyote.Response.doWrite(Response.java:594) 
    at org.apache.catalina.connector.OutputBuffer.realWriteBytes(OutputBuffer.java:398) 
    at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:449) 
    at org.apache.catalina.connector.OutputBuffer.realWriteChars(OutputBuffer.java:473) 
    at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:469) 
    at org.apache.tomcat.util.buf.CharChunk.append(CharChunk.java:295) 
    at org.apache.catalina.connector.OutputBuffer.write(OutputBuffer.java:505) 
    at org.apache.catalina.connector.CoyoteWriter.write(CoyoteWriter.java:143) 
    at org.apache.catalina.connector.CoyoteWriter.write(CoyoteWriter.java:152) 
    at com.sun.faces.application.view.WriteBehindStateWriter.flushToWriter(WriteBehindStateWriter.java:240) 
    at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:419) 
    at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:125) 
    at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:288) 
    at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:288) 
    at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:121) 
    at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) 
    at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139) 
    at javax.faces.webapp.FacesServlet.service(FacesServlet.java:594) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:840) 
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:622) 
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:560) 
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:488) 
    at x.y.z.common.web.dispatch.StartPageDispatcherServlet.forward(StartPageDispatcherServlet.java:52) 
    at x.y.z.common.web.dispatch.StartPageDispatcherServlet.service(StartPageDispatcherServlet.java:37) 
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at org.jboss.weld.servlet.ConversationPropagationFilter.doFilter(ConversationPropagationFilter.java:62) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at net.anotheria.moskito.web.MoskitoFilter.doFilter(MoskitoFilter.java:110) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at net.anotheria.moskito.web.MoskitoFilter.doFilter(MoskitoFilter.java:110) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at net.anotheria.moskito.web.filters.JourneyFilter.doFilter(JourneyFilter.java:84) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at net.anotheria.moskito.web.filters.MoskitoCommandFilter.doFilter(MoskitoCommandFilter.java:26) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at x.y.z.common.web.useragent.TouchScreenDeviceFilter.doFilter(TouchScreenDeviceFilter.java:42) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at x.y.z.common.web.LandingPageFilter.doFilter(LandingPageFilter.java:44) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at x.y.z.common.web.CharsetFilter.doFilter(CharsetFilter.java:53) 
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280) 
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) 
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) 
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) 
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:397) 
    at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) 
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) 
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) 
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466) 
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567) 
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) 
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) 
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) 
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) 
    at java.lang.Thread.run(Thread.java:722)

grepping具有CLOSE_WAIT在ESTABLISHED狀態此IP 817個連接和3 netstat的輸出顯示。

accesslogs顯示:

140.206.78.100 [13/Feb/2013:15:20:48 +0100] http--0.0.0.0-8443-364 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1276 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:50 +0100] http--0.0.0.0-8443-364 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1259 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:51 +0100] http--0.0.0.0-8443-477 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 2991 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:53 +0100] http--0.0.0.0-8443-428 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 2456 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:54 +0100] http--0.0.0.0-8443-639 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1305 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:54 +0100] http--0.0.0.0-8443-491 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1326 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:56 +0100] http--0.0.0.0-8443-491 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1293 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:57 +0100] http--0.0.0.0-8443-663 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1315 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:20:59 +0100] http--0.0.0.0-8443-663 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 1277 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
140.206.78.100 [13/Feb/2013:15:21:02 +0100] http--0.0.0.0-8443-225 GET o1uNdliDOQhJkDnbvXo4RIZ2.undefined 2427 HTTP/1.1 443/200 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.95 Safari/537.11 
1

我們使用JBoss AS 7,Java的6/7(都嘗試),Ubuntu的虛擬機上,SSL卸載和負載平衡與翱騰負載平衡器。

PS: 添加netstat的樣品,其中三種:

tcp  0  0 my.public.ip:8443  140.206.78.100:14186 ESTABLISHED 
tcp  0 35040 my.public.ip:8443  140.206.78.100:14620 ESTABLISHED 
tcp  0 35040 my.public.ip:8443  140.206.78.100:13859 ESTABLISHED

和817的那些:

tcp  1 35040 my.public.ip:8443  140.206.78.100:13233 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:11649 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:11605 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:11892 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:13692 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:11988 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:13055 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:13242 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:13073 CLOSE_WAIT 
tcp  1 37960 my.public.ip:8443  140.206.78.100:10176 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:14557 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:12288 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:12509 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:11049 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:11839 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:14208 CLOSE_WAIT 
tcp  1 35040 my.public.ip:8443  140.206.78.100:14662 CLOSE_WAIT

來源

2013-02-13 Leon

+0

你可以添加一個'netstat'樣本嗎? – fglez 2013-02-13 15:48:46

+0

@fglez完成,粘貼一些greped ESTABLISHED和CLOSE_WAIT行。沒有其他國家爲這個IP。 – Leon 2013-02-13 16:19:48

回答

2

你得到的服務拒絕攻擊。黑名單,客戶端IP地址。

來源

2013-02-14 00:50:36 EJP

+0

這應該被列入路由器儘可能靠近互聯網(甚至更好,如果你可以讓你的ISP黑名單),而不是在網絡服務器本身。 – Eric 2013-02-14 01:14:44

+0

有關人士似乎專注於Tomcats。當我把Apache HTTPD放在我的面前時,這個滋擾消失了。 – EJP 2013-02-14 01:18:44

+1

我想這是因爲slowloris的漏洞。 CVE-2012-5568 – Eric 2013-02-14 01:28:55

相關問題

 相關問題