internal dummy connection

[fredvps]

Can someone please explain what apache/centos is doing with this so I can understand any implications.
I have never seen this before.

::1 - - [21/Feb/2015:03:27:45 +0000] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.2.15 (CentOS) (internal dummy connection)"
The entry appears in the main access log 8 times in sequence.

There are many "google" comments but I can't see an explanation of what it is actually for.
postconf confirms only ipv4 is in use - yet response code is 200?

thanks

[WhatsHisName]

Normally, that pops up in my logs during intense malicious scans of apache content when MaxClients is exceeded (see /etc/httpd/conf/httpd.conf). The "[::1]" is probably the attacker misidentifying themselves. Very common.

Think of it as a DoS attack.

Your Mileage May Vary.

[avij]

Erm, the web server records the source IP address. This can't be faked, as far as I'm aware. ::1 is the IPv6 equivalent of 127.0.0.1.

I would not worry too much about those.

[WhatsHisName]

Yes, I thought that too until I started seeing IPs in the log (including 127.0.0.1 that are not from my end) that are absolutely blocked at the WAN firewall in both directions.

There are others much smarter at packet manipulation than I am, but I agree that I don't understand how it would be done.

As I said, YMMV.

[jscarville]

It is normal for Apache

https://wiki.apache.org/httpd/InternalDummyConnection

If you are seeing :::! then you have IPv6 enabled some where. Check your Listen directives

For all interfaces:

Listen 0.0.0.0:80

or for a single ip.add.re.ss

Listen ip.add.re.ss:80

Also check for any Listen directives on other ports

[fredvps]

First thank you all for the very fast replies but I suspect:

This should never be just "ignored"

The apache wiki "sort of" says ignore this but also says "can GENERALLY" be ignored as a carefully worded caveat
in more than what must be 10 years of using apache I have never seen this before - calling it "normal" is clearly flat out wrong

A number of issues arise from my quoted log entry following more research:

1. IPV6 is not allowed on my system as it cannot be safely firewalled or controlled. Following your comments I ran a "grep"
on the entire system for "::1" - there were no entries I had not manually removed (eg postfix configs) or commented out by #
Therefore how did this connection get made.

2. the connection itself carries OPTIONS * HTTP/1.0
OPTIONS * seems very remeniscent of a known apache vulnerability to the point where I'd say this may be a serious issue or be related

3. this connection is not firewalled at all - (internal I know but still) - nor does it respond to either rewrite rules or setEnvif commands
yet the apache wikki suggests this can be controlled using mod_rewrite

4. Looking in my other logs: - as suggested above this does appear to have arrisen as a consequence of an attempted DOS attack
which was quenched by my rate limiter (I will need to adjust the levels down perhaps or check what I'm lmiting closer)

5. My concern now is now threefold-
Why would apache send "OPTIONS * "
Why as HTTP/1.0 (again blocked on my system)
and how IPV6 is still running internally when not visibly configured at all

Until this activity is fully explained in detail I would suggest the widespread advice to "simply ignore these entries" not be taken.
If anyone can shed actual light I would very much like to see it.

Telling people to ignore or even block such log entires is universally dangerous IMHO no matter who suggests it.

[TrevorH]

Post the output from ifconfig lo

[jscarville]

You may have ipv6 loaded and don't know it.

# lsmod | grep ipv6