5

I'm running a micro instance on Amazon Cloud Services, and a recent spike made our web server unresponsive, I'm trying to do a little research to determine if this was a DOS attack, or which process was hogging down the server.

I checked the Apache Access Log and all I see are Internal Dummy Connections from local IP

127.0.0.1 - - [18/Feb/2013:18:51:20 +0000] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Ubuntu) (internal dummy connection)"

that's an example, and I noticed when I tail the log file while refreshing the site, it adds a new record.

Why can't I see the remote IP that's connecting to the IP, and how can I better track down this issue?

Thomas Depole
  • 155
  • 1
  • 1
  • 3

1 Answers1

3

Those "dummy" connections are the way Apache tells its child processed that the have to die.

Have a look at: http://www.thewebhelp.com/apache/internal-dummy-connection/

boris quiroz
  • 1,160
  • 1
  • 7
  • 18
  • Ok makes sense, is there a way for me to see which ips are connecting to the server, or making Apache requests? – Thomas Depole Feb 18 '13 at 19:53
  • I don't like using "default" logs. You can define a custom log on your virtual host configuration, like this: CustomLog /var/log/apache2/customlog.log common. – boris quiroz Feb 19 '13 at 11:02
  • Also, on the link I posted before there's a way to solve the problem. See "The Solution" part. That should fix your problem and you won't be DoS from localhost again – boris quiroz Feb 19 '13 at 11:03
  • Ok cool, I'm going to have to create a custom log to get the data I want, but I understand whats happening in the default logs, thanks for you help – Thomas Depole Feb 20 '13 at 18:11
  • not true. Could be from apache doing curl to itself. – sivann Jun 09 '15 at 08:58