504 Gateway Timeout

504 gateway timeout is a server error code that is received when serving as a proxy or gateway server. This typically means that it does not receive adequate responses from an upstream server that was specified in the URL. Such as LDAP, FTP, HTTP, or other forms of auxiliary servers that are needed to have access to in order to finish the request being made of it.

A 504 gateway timeout server error display can be customized to each website that uses the message. In the case of the 504 gateway timeout code, most sites choose not to customize the message. Below are two of the most common ways the 504 gateway timeout is displayed though:

504: Gateway Timeout HTTP 504 504 Gateway Timeout Resolution

A 504 gateway timeout is the HTTP status message which means that a web server didnt receive a response in sufficient time from another partner server that it was trying to access, all while attempting to load the web page being requested or fill another request by a web browser.

In order to resolve a 504 gateway timeout error, then the easiest way is to try and refresh the web page in your web browser to see if it was a momentary glitch on the website you are attempting to access. Another

option is to come back in a few hours and try again in case the website was simply offline at the time you were trying to access it.
10 Things to Do During a 504 Gateway Timeout
BY ROSALIND GARDNER FILED UNDER: HOW TO BLOG / BUILD A SITE TAGGED WITH: 504 ERROR, GATEWAY TIMEOUT, HTTP STATUS

I knew something was amiss when only a paltry 17 emails showed up during the morning download so I checked my sites and sure enough, the sites hosted on one of my servers were showing a 504 Gateway Timeout error. (See list of HTTP Status Codes and their meanings here.) A 504 error usually means that a server upstream from yours that is acting as a gateway to handle the HTTP request is either down or too slow to fulfill the request. Unfortunately, there is nothing that you can do to solve a 504 gateway timeout problem. It has to be dealt with by the techies at the ISP that hosts the errant web server. The following is a list of my recommended responses to such a problem. 1. Assess the HTTP error. Theres a good list of HTTP status codes, some with explanations. 2. Shut down applicable PPC campaigns. Every click that goes to a site that isnt online is a waste of money. Refrain from wondering how long your site has been down or thinking about how much money youve probably just flushed. 3. Contact your webmaster or ISP. Explain the problem CONCISELY. Theres no need to tell them that you were in the middle of enjoying a delicious breakfast of ham and eggs when ESP told you that things with your site were awry. 4. Know that stuff happens and remain calm. The outage may last only a minute or two, so theres no need to get stressed out. Do your best to avoid visions of bankruptcy court and bag ladies. 5. Twiddle your thumbs. Now think of something else to do. 6. Post to social networking sites. Release whatever angst you feel by posting about your situation to your Twitter, Facebook and MySpace accounts. Someone may respond with such concern that you feel better for a short while. If not, send out a bunch of friend requests to find better friends. 7. Write a few blog entries (using a text editor) to post when your site is again available. If youre short on ideas or too stressed about the situation to think clearly, see the next list item.

8. Buy a PLR package.. I bought Anik Singals Valentine / Spring package, dating site was still online, queued up the blog posts for delivery during the month of January. 9. Take a break away from your office. If the outage becomes prolonged, use the time to do something really different like refill your shampoo dispenser. Better yet, go outside, get some exercise and see what your town looks like in daylight hours. 10. When you return and/or the problem is rectified, check your stats. You might find that youve made enough money with free search engine traffic to want to modify that PPC campaign before you turn it back on. The most important thing to remember dont stress! You can still get good work done and/or have fun. Enjoy the break while it lasts.

DDOS attack
If your redhat/cpanel server is under DDOS attack then just go to the directory /usr/local/apache/domlogs and then use the command : grep '408 -' *.com > output_file_name you can use the search pattern for any other domains with the extension .net .org etc... we have to do it once by one .check out for 408 at tail -f /etc/httpd/logs/access_log if any then you can use the command above to find the domains which are under attack. 408 Request Timed Out --------------------------------Successful Client Requests 200 OK 201 Created 202 Accepted 203 Non-Authorative Information 204 No Content 205 Reset Content 206 Partial Content Client Request Redirected 300 Multiple Choices 301 Moved Permanently 302 Moved Temporarily 303 See Other 304 Not Modified 305 Use Proxy Client Request Errors 400 Bad Request 401 Authorization Required

402 Payment Required (not used yet) 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable (encoding) 407 Proxy Authentication Required 408 Request Timed Out 409 Conflicting Request 410 Gone 411 Content Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request URI Too Long 415 Unsupported Media Type Server Errors 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported

Preventing DDoS Attacks Posted on Sunday, March 12, 2006 - 11:05 PM spacer.gif Articles by Blessen Cherian DDOS, or Distributed Denial of Service is an advanced version of DOS(Denial of Service) attack. Like DOS, DDOS also tries to deny important services running on a server by broadcasting packets to the destination server in a way that the Destination server cannot handle it. The speciality of the DDOS is that, it relays attacks not from a single network/host like DOS. The DDOS attack will be launched from different dynamic networks which has already been compromised. Normally, DDOS consists of 3 parts . The Master, the slave and at last the victim. The master is the attack launcher, i.e the person/machine behind all this. The slave is the network that is being compromised by the Master and Victim is the target site/server. Master informs the compromised machines, so called slaves to launch attack on the victim's site/machine. Hence its also called co-ordinated attack. Here is how I see it. Master is the Master Brain, Slave is said to be the launch pad for the attack and Victim is the target. DDOS is done in 2 phases. In the first phase they try to compromise weak machines in different networks around the world. This phase is called Intrusion Phase. Its in the next phase, that they install DDOS tools and start attacking the victims machines/site. This Phase is called Distributed DoS attack phase. What Allowed them to do it? Simple.

1. Vulnerable softwares/Applications running on a machine or network. 2. Open network setup. 3. Network/ machine setup without taking security into account. 4. No monitoring or Data Analysis are being conducted. 5. No regular Audit / Software upgrades being conducted. What should we do if we are under DDOS attack? Check if your machines load is high and you have large number of HTTP process running. To find the load just use the command w or uptime #w 12:00:36 up 1 day, 20:27, 5 users, load average: 0.70, 0.70, 0.57 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT To find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l " # ps -aux|grep HTTP|wc -l 23 In a heavy server , the number of connections will go above 100. But during DDOS attack, the number will go even higher and thats when we need to find out from which all networks are these attacks coming. In DDOS the host machine doesn't have much importance. Its the network which is of importance here because, an attacker will use any machine on the compromised network or even will use all the machines in the network. Hence network address is of importance while fighting with the attack. If you have high load (say 5 or more ) and you have large number of HTTP process then i would request you to do the following At command prompt execute the below command bash#netstat -lpn|grep :80 |awk '{print $5}'|sort Check each block of ips. Lets assume you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify such ips/networks from the list you get If more than 5 host/ip connects from the same network then its a clear sign of DDOS . Block that ips/networks using iptables /Apf iptables -A INPUT -s -j DROP If you have APF, then just add the IPs which you want to block in the file /etc/apf/deny_hosts.rules Continue this process untill the attack on the machine gets reduced. There is no complete or perfect solution to DDOS . The logic is simple, NO software or measures could handle attacks from multiple

servers say from 50 - 100 servers all at a time. All that can be done is to take preventive measures . How can we prevent or defend ourselves from these attacks? Prevention is better than cure. Its very much true in the case of DDOS . In my Introduction, I had mentioned that DDOS happens because of vulnerable softwares/applications running on a machines in a particular network. Attackers use those security holes to compromise the servers in different network and install the DDOS tools (eg trinoo -DDOS tool). To prevent DDOS in future, follow these steps. Setup machine / network keeping security in mind (Implement Good Security policy) Setup a firewall which does Ingress and Egress Filtering at Gateway Steps to Install APF bash# wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz bash# tar -zxf apf-current.tar.gz bash# cd apfbash# ./install.sh Notes: Go through the Document in the Apf and configure it for your needs. All configuration is set at conf.apf which is normally located at /etc/apf/conf.apf Enable Anit-DOS mode in Apf (ie in conf.apf) . Also make sure that your root's cron has an entry like the one below */8 * * * * root /etc/apf/ad/antidos -a >> /dev/null 2>&1 Install IDS on your gateway/hosts to alert you when someone tries to sniff In. (a) Wget ftp://ftp.cs.tut.fi/pub/src/gnu/aide-0.7.tar.gz (b) Untar it tar -zxvf aide-0.7.tar.gz cd aide-0.7 (d) Then execute ./configure -with-gnu-regexp (e) Final steps to install make;make install (f) Now the main step. To configure AIDE. AIDE stores all its rule sets in the file called aide.conf. To get more details on how to configure from 'man aide.conf'

(g) Here is a sample short aide.conf: Rule = p+i+u+g+n+s+md5 /etc p+i+u+g /sbin Rule /usr/local/apache/conf Rule /var Rule !/var/spool/.* !/var/log/.* In this configuration, a rule called "Rule" is set to check permissions (p), inode (i), user (u), group (g), number of links (n), size (s), and md5 checksum (md5). This rules are applied to all files in /bin, /sbin, /var, and /usr/local/apache/conf because they should rarely if ever change. Files in /etc are checked for changes in only permissions, inode, user, and group because their size may change, but other things shouldn't. Files and directories in /var/spool and /var/log are not checked because those are folders where maximum updation takes place. (h) After configuring AIDE should be initiated with all these rules. For that execute aide -init Conduct regular Audits on each host on the network to find installation of DDOS tools / Vulnerable applications. Use tools like RKDET(vancouver-webpages.com/rkdet), RKHUNTER(www.rootkit.nl) and CHKROOTKIT(www.chkrootkit.org) to find if any rootkit has been already installed and to locate the effected binaries in the machine, if any. This is a simple Audit check List to check for. * Software Vulnerabilities. * Kernel Upgrades and vulnerabilities. * Check for any Trojans. * Run chkrootkit. * Check ports. * Check for any hidden processes. * Use audit tools to check system. * Check logs. * Check binaries and RPMS. * Check for open email relays. * Check for malicious cron entries. * Check /dev /tmp /var directories. * Check whether backups are maintained. * Check for unwanted users, groups, etc. on the system. * Check for and disable any unneeded services.

* Locate malicious scripts. * Querylog in DNS. * Check for the suid scripts and nouser scripts. * Check valid scripts in /tmp. * Use intrusion detection tools. * Check the system performance. * Check memory performance (run memtest). Enforce and Implement Security Measures on all hosts in the network. Machines new or old should only be allowed to run on your network, if your Security Admin or DSE (Dedicated Security Expert) member approves it with status ``OK-to go live'' after auditing the box. All Host in the network should be checked on a regular basis by your DSE team to make sure that all hosts are up-to-date and can fight any attacks. Audit network on a regular basis to see if your network is vulnerable to attacks Use Open Source Tools like NESSUS (www.nessus.org), NMAP(www.insecure.org/nmap), SAINT( www.saintcorporation.com/products/saint_engine.html), SARA (www-arc.com/sara/sara.html) for auditing a network to find its vulnerabilities. Create a DSE (Dedicated Security Expert ) Team for your company. Collect your network and hosts data. Analyse and study them to see from where and what kind of attacks are coming into the network. This step will help us to understand what kind of attacks we are facing and will help us to strengthen the preventive measures. Let me tell you this move is worth the money you spend, for sure. Implement Sysctl protection against DDOS bash# vi /etc/sysctl.conf Add this code to this file: # Enable IP spoofing protection, turn on Source Address Verification net.ipv4.conf.all.rp_filter = 1 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 Add the below code in /etc/rc.local and restart network for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > done echo 1 > /proc/sys/net/ipv4/tcp_syncookies Install Mod_dosevasive to your apache. Mod_dosevasive is module for Apache to perform evasive action in the event of an HTTP DDoS attack or brute force attack. Please find the installation step of mod_dosevasive in DSO mode below

Eg: Install Mod_dosevasive # wget http://www.nuclearelephant.com/projects/mod_evasive/mod_evasive_1.10.1.tar.gz # tar -zxvf mod_evasive_1.10.1.tar.gz # cd mod_evasive_1.10.1 # $APACHE_ROOT/bin/apxs -iac mod_evasive.c ``$APACHE_ROOT'' is a variable that stores the location of the apache installation (eg $APACHE_ROOT =/usr/local/apache) # vi /usr/loca/apache/conf/httpd.conf After this add the below code in httpd.conf

DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10

Then restart Apache # /usr/local/apache/bin/apachectl restart Install Mod_security Since DDOS normally targets HTTP. Its always good to have a filtering system for apache . So that the request gets analyzed before web server handles it. Please find the installation step of mod_security in DSO mode below bash# http://www.modsecurity.org/download/modsecurity-apache-1.9.2.tar.gz bash# tar -zxvf modsecurity-apache-1.9.2.tar.gz bash# cd modsecurity-apache-1.9.2 bash# /usr/local/apache/bin/apxs -cia mod_security.c Create a file named mod_security.conf under the folder /usr/local/apache/conf bash# vi /usr/local/apache/conf/mod_security.conf Create the rule with reference to the link http://www.modsecurity.org/documentation/quick-examples.html and add it in the mod_security.conf file. Add the location of mod_security.conf to httpd.conf

bash# vi /usr/local/apache/conf/httpd.conf by adding the string below Include /usr/local/apache/conf/mod_security.conf Restart apache # /usr/local/apache/bin/apachectl stop # /usr/local/apache/bin/apachectl start Best solution to fight DDOS to a certain extend will be to setup load balancer for your services. Creating awareness on Security This is the most important part. People, including users should be Security conscious. Only then will they understand the importance of Security measures . Server owner's and users should be made aware of the issues which can rise due to bad security measures.