Yesterday, I had a DoS attack on a php/mysql webpage which uses a lot of resources. I have learned today, as a for instance, in the last hour, about 3000 requests for that page were made by 610 different servers, mostly from 'odd' places... China, Russia, Poland, Turkey... the usual suspects from my experience.
The bottom line is this... I hit server loads of 142 yesterday!!! And the server never crashed! Yeah, it might as well have been dead, but it wasn't. Yes, some things shut down temporarily... but the machine never went down. This is a remote server, about an hour away.. It took about 20 minutes for my mysqld stop command to execute, but with time it did respond! I'm extremely impressed by this and just wanted to pass this 'trivia' along. EL rocks!
Best, John Hinton
sender: "John Hinton" date: "Wed, Oct 12, 2005 at 04:51:48PM -0400" <<<EOQ
Yesterday, I had a DoS attack on a php/mysql webpage which uses a lot of resources. I have learned today, as a for instance, in the last hour, about 3000 requests for that page were made by 610 different servers, mostly from 'odd' places... China, Russia, Poland, Turkey... the usual suspects from my experience.
The bottom line is this... I hit server loads of 142 yesterday!!! And the server never crashed! Yeah, it might as well have been dead, but it wasn't. Yes, some things shut down temporarily... but the machine never went down. This is a remote server, about an hour away.. It took about 20 minutes for my mysqld stop command to execute, but with time it did respond! I'm extremely impressed by this and just wanted to pass this 'trivia' along. EL rocks!
It rocks even better... :) I've had it hit 200+ load and it went smoother than others did on a load of 20... If was a webservers with *many* webpages hit by spiders.
A good night to everyone (if it is night in your part of the world too :) ), Alex
John Hinton wrote:
Yesterday, I had a DoS attack on a php/mysql webpage which uses a lot of resources. I have learned today, as a for instance, in the last hour, about 3000 requests for that page were made by 610 different servers, mostly from 'odd' places... China, Russia, Poland, Turkey... the usual suspects from my experience.
The bottom line is this... I hit server loads of 142 yesterday!!! And the server never crashed! Yeah, it might as well have been dead, but it wasn't. Yes, some things shut down temporarily... but the machine never went down. This is a remote server, about an hour away.. It took about 20 minutes for my mysqld stop command to execute, but with time it did respond! I'm extremely impressed by this and just wanted to pass this 'trivia' along. EL rocks!
Back in the "good 'ol days" we could just add a page full of /16's, flushing all traffic from naughty places, to the iptables deny list and call it a day. Now, my company has customers in some of these "troublesome" countries so we can't drop all their packets on the floor. 8-(
That's good news about your server staying up. What does its hardware config look like?
Cheers,
Chris Mauritz wrote:
John Hinton wrote:
Yesterday, I had a DoS attack on a php/mysql webpage which uses a lot of resources. I have learned today, as a for instance, in the last hour, about 3000 requests for that page were made by 610 different servers, mostly from 'odd' places... China, Russia, Poland, Turkey... the usual suspects from my experience.
The bottom line is this... I hit server loads of 142 yesterday!!! And the server never crashed! Yeah, it might as well have been dead, but it wasn't. Yes, some things shut down temporarily... but the machine never went down. This is a remote server, about an hour away.. It took about 20 minutes for my mysqld stop command to execute, but with time it did respond! I'm extremely impressed by this and just wanted to pass this 'trivia' along. EL rocks!
Back in the "good 'ol days" we could just add a page full of /16's, flushing all traffic from naughty places, to the iptables deny list and call it a day. Now, my company has customers in some of these "troublesome" countries so we can't drop all their packets on the floor. 8-(
That's good news about your server staying up. What does its hardware config look like?
It's actually one of our very old boat anchors.. the replacement for which is sitting here waiting for me to move stuff. It's an old Compaq 3000R with dual 500s, a gig of ram and 6 18.2gig wide ultra drives .. raid 5 with hot spare. Dual P/S, redundant fans... was state of the art in 1999! ;)
It actually does a fine job, with loads normally under 1.0 and is downright frisky as a webserver. But, as the need for more intensive email systems rises, the need for a replacement has grown... so, it will be retired pretty soon. But, when it handles so well a situation like this.. gee. And reliability.. well, it just now needs one of the fans replaced. What can I say? I got my monies worth! I'll likely find some use for it as a backup storage box or nameserver or something. It ain't dead yet. Then again it might not be worth the rackspace and electricity it uses for such a device. It could likely replace one of our nameserver boxes, running a 3000 single 550, which does only bind and collects postmaster and other general junk mail from all the other systems, which sometimes shows something I actually need to know about.
Best, John Hinton
John Hinton wrote:
It's actually one of our very old boat anchors.. the replacement for which is sitting here waiting for me to move stuff. It's an old Compaq 3000R with dual 500s, a gig of ram and 6 18.2gig wide ultra drives .. raid 5 with hot spare. Dual P/S, redundant fans... was state of the art in 1999! ;)
Yeah the 3000R and 1850R machines were built like the proverbial brick outhouse. Until very recently, I had a few laying around as backup DNS servers and mail servers. We donated a few 1850R's to a local school and they're using them for the school district's web server and mail server. 8-)
These days, I just get a pile of commodity rackmount machines and hide them behind a Foundry ServerIron or Cisco Localdirector for the anthill labour effect. Of course, if some numbnut with a zombie farm wants to take you down, there isn't a whole lot you can do about it unless you've got some serious bandwidth and lots of server horsepower. Sysadmins should just donate $20/year each to the "kneecap a hacker" fund and just send some bad people in to "reason with" the cretins. 8-)
Cheers,
Chris Mauritz wrote:
John Hinton wrote:
It's actually one of our very old boat anchors.. the replacement for which is sitting here waiting for me to move stuff. It's an old Compaq 3000R with dual 500s, a gig of ram and 6 18.2gig wide ultra drives .. raid 5 with hot spare. Dual P/S, redundant fans... was state of the art in 1999! ;)
Yeah the 3000R and 1850R machines were built like the proverbial brick outhouse. Until very recently, I had a few laying around as backup DNS servers and mail servers. We donated a few 1850R's to a local school and they're using them for the school district's web server and mail server. 8-)
These days, I just get a pile of commodity rackmount machines and hide them behind a Foundry ServerIron or Cisco Localdirector for the anthill labour effect. Of course, if some numbnut with a zombie farm wants to take you down, there isn't a whole lot you can do about it unless you've got some serious bandwidth and lots of server horsepower. Sysadmins should just donate $20/year each to the "kneecap a hacker" fund and just send some bad people in to "reason with" the cretins. 8-)
Yeah... KaH fund! Actually, what would be just as good is to do something like have all the people on the CentOS list start pinging/packeting the crap out of said machines. The combined bandwidth would easily overpower any body except maybe the likes of Google. But, alas, this IS illegal activity in this country (US and others) and we could easily wind up with the authorities pounding on our doors.... but... gee... if our laws don't reach into these other countries, then why should our laws apply to us if we were doing it to these other countries? Could WWIII be a ping war? :)
Best, John Hinton
On Thu, 2005-10-13 at 18:16 -0400, John Hinton wrote:
Chris Mauritz wrote:
John Hinton wrote:
It's actually one of our very old boat anchors.. the replacement for which is sitting here waiting for me to move stuff. It's an old Compaq 3000R with dual 500s, a gig of ram and 6 18.2gig wide ultra drives .. raid 5 with hot spare. Dual P/S, redundant fans... was state of the art in 1999! ;)
Yeah the 3000R and 1850R machines were built like the proverbial brick outhouse. Until very recently, I had a few laying around as backup DNS servers and mail servers. We donated a few 1850R's to a local school and they're using them for the school district's web server and mail server. 8-)
These days, I just get a pile of commodity rackmount machines and hide them behind a Foundry ServerIron or Cisco Localdirector for the anthill labour effect. Of course, if some numbnut with a zombie farm wants to take you down, there isn't a whole lot you can do about it unless you've got some serious bandwidth and lots of server horsepower. Sysadmins should just donate $20/year each to the "kneecap a hacker" fund and just send some bad people in to "reason with" the cretins. 8-)
Yeah... KaH fund! Actually, what would be just as good is to do something like have all the people on the CentOS list start pinging/packeting the crap out of said machines. The combined bandwidth would easily overpower any body except maybe the likes of Google. But, alas, this IS illegal activity in this country (US and others) and we could easily wind up with the authorities pounding on our doors.... but... gee... if our laws don't reach into these other countries, then why should our laws apply to us if we were doing it to these other countries? Could WWIII be a ping war? :)
I could just ping mirror.centos.org toward them on release day ... GeeWhiz ... there is a lot of you guys out there updating your CentOS :)
Johnny Hughes wrote:
Yeah... KaH fund! Actually, what would be just as good is to do something like have all the people on the CentOS list start pinging/packeting the crap out of said machines. The combined bandwidth would easily overpower any body except maybe the likes of Google. But, alas, this IS illegal activity in this country (US and others) and we could easily wind up with the authorities pounding on our doors.... but... gee... if our laws don't reach into these other countries, then why should our laws apply to us if we were doing it to these other countries? Could WWIII be a ping war? :)
I could just ping mirror.centos.org toward them on release day ... GeeWhiz ... there is a lot of you guys out there updating your CentOS :)
Could you please? I'll send a list of the 610 IP addresses which were attacking!
You are a victim of your own success! I wish I had a huge thread in here so I could donate some viable bandwidth. Oh well.... maybe one day.
Thanks for all the fantastic work!! I'm sure I can speak for many who are appreciative. Maybe you'll have to create a separate announce list for the quarterlies and only let 100 notices go out every eight hours or something. ;)
John Hinton