Re: [Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29

savannah-hackers-public

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29

From:	Bob Proulx
Subject:	Re: [Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29
Date:	Sat, 29 Oct 2016 13:16:45 -0600
User-agent:	NeoMutt/20161014 (1.7.1)

Savannah Hackers,

Ruben saw that the problem was a web crawler that is crawling fast
but not closing connections effectively becoming a SYN attack.  It
also hit www.gnu.org yesterday.  Therefore he blocked it site wide
since it would just move on to yet another web server after this.  I
have been communicating with Ruben on IRC.

I am kicking myself that I should have been able to detect this
problem by looking at the network state stats.  The high number of
connections in the SYN_RECV state were a dead giveaway to the
problem.  Plus the high rate of log entries.  However the apache log
configuration on vcs is abysmal and definitely not good.  That is
cleaned up on vcs0.  It would have been easier to see this problem in
the web logs there.

With this everything seems to have returned to normal operation.

Bob

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29, Bob Proulx, 2016/10/29
- Re: [Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29, Bob Proulx <=

Prev by Date: [Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29
Next by Date: [Savannah-hackers-public] SSH host keys for the new machine?
Previous by thread: [Savannah-hackers-public] Network Problem? DDoS? System? 2016-10-29
Next by thread: [Savannah-hackers-public] SSH host keys for the new machine?
Index(es):
- Date
- Thread