Windows Server 2003 overtakes Solaris 9


Note that this graph shows only Operating Systems serving less than 40,000 hostnames

The number of sites running Windows Server 2003 has overtaken Solaris 9, in spite of the fact that Windows Server 2003 does not launch until later on this month.

Solaris 9 launched in May 2002. However, Sun seems to take relaxed view about envangelising new operating system versions; even is still running Solaris 8. is at the opposite end of the product advocacy spectrum and started running Windows 2003 last July.

Recent Changes at Notable Sites is now reporting its server signature as "SunONE WebServer 6.0". We think that this is simply part of the rebranding of the web server away from Netscape-Enterprise, rather than a new product. appears to have switched from AIX to Linux, but in fact this is a feature of it starting to use the Akamai network for its front page.

Some notable Netscape-Enterprise sites have switched to Apache based servers, including the Vatican, Kellogg's and NASA. Kellogg's also seem to have insourced their site back from IBM.

NASA are now running something called "NASA_Webserver/2003 (NASA) mod_jk/1.2.1-beta-1" on Novell Netware. We think that this is likely to be a locally modified Apache running behind a Novell ICS reverse proxy server. In contrast to Kellogg's, NASA appear to have moved the site off their own network to AT&T.

Meanwhile, have made a change to their server signature to make it appear less obviously like a copy of Apache with a hand edited server header, and more like Microsoft-IIS. We speculate that forthcoming site enhancements at Walmart may include changing the name of the JServSessionId cookie.

Java Servlet Engines

Java Servlet Engines April 2003 Although JSP has a tiny fraction of the installed base of PHP and ASP, and numbers of specialist servlet web servers are completely dwarfed by Apache and Microsoft-IIS, Java related technology has a much bigger impact on the Web than the raw site numbers suggest. Over the last year JSP has been the fastest growing scripting technology after ASP.NET. JSP sites are often bigger, more complex, and better funded and run by larger organisations than sites using the more common scripting technologies.

The higher investment on these sites makes them attractive targets for hosting and site development companies, while the relatively large number of players in the application server market means that they are likely recipients of competitive upgrade offers. With Windows 2003 launching later on this month and providing some application server functionality out of the box, it is also likely that Java based sites will be strenuously encouraged to evaluate the .Net Framework.

Tracking sites using Java based application servers is not straightforward, and often requires inspection of the site content. In particular, sites using Microsoft-IIS or Netscape-Enterprise as a web server may be running servlet engines that do not provide a signature in the HTTP server header and tracking these servers has to be done through analysis of the site content.

With the proviso that a better and more accurate view can be had by taking more content from the site, and that sites using Servlet Engines with Apache, Microsoft and SunONE web servers would be not be included by this view, it is still possible to take a quick and simple view of what is going on from the HTTP server headers.

Java Servlet Engines, April 2003


By IP Address

By Site

Tomcat 9253 64532 6.97
Resin 9059 138664 15.31
IBM 9049 38730 4.28
Oracle 5156 18072 3.51
WebLogic 1716 6819 3.97
Orion 1062 6358 5.99
Jetty 635 1865 2.94
JavaWebServer 388 949 2.45
SilverStream 370 966 2.61
JRun (*) 264 17859  67.65

From the table, Resin, Tomcat, IBM and Oracle are popular choices for those websites that support Java-based web applications.

This is not an exhaustive list of servlet engines - for example some older engines, such as Apache JServ, still have a wide presence across the net, but are now deprecated in favour of newer implementations.

(*) The high ratio of sites per address for JRun are caused by two hosts that support many thousands of sites.

Apache/2.0.45 released to counter Denial of Service vulnerability

The Apache Project have announced that versions of Apache/2.0 up to and including Apache/2.0.44 are vulnerable to a denial of service attack. To fix the problem, the project has released Apache/2.0.45 which is available for download.

People running Apache servers should note that the vulnerability only applies to Apache/2.0 and not Apache/1.3. In this respect the bug is not a big threat to the stability of the web - it is a denial of service rather than a remote compromise and the number of sites running Apache/2.0 is relatively small. Almost 99% of Apache sites are on Apache/1.3 or earlier.