Access denied with code 400. Too many threads

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Post Reply
iv@rh
Forum User
Forum User
Posts: 29
Joined: Wed Jul 04, 2012 9:03 pm
Location: Melbourne

Access denied with code 400. Too many threads

Unread post by iv@rh »

Can't seem to find the answer in your board nor Google.

After updating Apache from 2.2.x to 2.4.x the (cPanel server, CentOS 6) Apache error log is flooded with the following:

Code: Select all

[Wed Jun 03 20:55:59.777267 2015] [:warn] [pid 286756:tid 140205325903616] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 81.28.161.2 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:56:00.619291 2015] [:warn] [pid 286758:tid 140205342689024] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 81.28.161.2 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:56:04.086660 2015] [:warn] [pid 286759:tid 140205239559936] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 157.55.39.109 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:56:06.247278 2015] [:warn] [pid 286758:tid 140205334296320] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 122.129.219.79 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:56:08.704538 2015] [:warn] [pid 286757:tid 140205172418304] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 46.137.228.195 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:56:08.957250 2015] [:warn] [pid 286759:tid 140205214381824] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 127.0.0.1 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:56:11.139705 2015] [:warn] [pid 286758:tid 140205239559936] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 46.137.228.195 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:57:03.797080 2015] [:warn] [pid 286759:tid 140205189203712] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 54.253.183.167 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:57:05.508148 2015] [:warn] [pid 286756:tid 140205247952640] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 54.253.183.167 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:57:09.289274 2015] [:warn] [pid 286760:tid 140205342689024] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 157.55.39.241 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:57:11.570923 2015] [:warn] [pid 286760:tid 140205334296320] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 127.0.0.1 - Possible DoS Consumption Attack [Rejected]
[Wed Jun 03 20:57:44.471658 2015] [:warn] [pid 286761:tid 140205222774528] ModSecurity: Access denied with code 400. Too many threads [16384] of 8096 allowed in READ state from 114.198.57.197 - Possible DoS Consumption Attack [Rejected]
Since Apache 2.4 is officially supported by ASL, what would needs to be done to stop this?
Top
User avatar
hostingg
Forum User
Forum User
Posts: 63
Joined: Mon Mar 18, 2013 6:26 pm
Location: Earth

Re: Access denied with code 400. Too many threads

Unread post by hostingg »

i think something is wrong with your system. that means you have 16K connections to apache. i dont even know how is that even possible unless someone is attacking you or your system is misconfigured. is 16K connections even something apache handle?

my advice would be to see what all those connections are. thats crazy high
If everything was easy, then the world wouldn't need engineers.
Top
iv@rh
Forum User
Forum User
Posts: 29
Joined: Wed Jul 04, 2012 9:03 pm
Location: Melbourne

Re: Access denied with code 400. Too many threads

Unread post by iv@rh »

hostingg wrote:i think something is wrong with your system. that means you have 16K connections to apache. i dont even know how is that even possible unless someone is attacking you or your system is misconfigured. is 16K connections even something apache handle?

my advice would be to see what all those connections are. thats crazy high
I don't think you are right here. These are threads, not connections. This is either incorrect reporting or Apache misconfiguration. The netstat with filter by Apache's listening port only reveals about 10 Apache connections while this error is happening.

I have a feeling this is problem with ASL's mod_security and cPanel 11.50/Easyapache 3.30. To begin with, cPanel update disables ASL's mod_secuirty and the only way to re-enable it permanently was to add ASL's httpd configuration file content into global include file. I feel that since mod_secuirty was disabled in Easyapache during httpd build, cPanel disables it somehow. The configuration files exist in /usr/local/apache, modescurity.d folder is there and modesc2.conf symlink also there. It is just ignored.

The problem is I am not sure how to debug this problem. Any ideas?
Top
Post Reply

Return to “Atomic Protector (formerly ASL)”