Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Monkey vs Apache!!! Fight!
- Date: Thu, 07 Apr 2011 16:02:52 +0900
- From: Raymond Wan <rwan.kyoto@example.com>
- Subject: Re: [tlug] Monkey vs Apache!!! Fight!
- References: <BANLkTimjpTEESJrzDcVNDmXQH1CEqKA11Q@example.com> <4D9BF6E3.5050906@example.com> <BANLkTi=w67zCRW=vAPyLGjWHYMJCFWu4Ww@example.com>
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110307 Icedove/3.0.11
Hi Sach, On 06/04/11 15:36, Sach Jobb wrote:
It is probably hard to get more information from this person, but what was he doing at the time? With all theseActually he was quite friendly, in fact he invited me to come over, drink some beer and check it out myself. The thing is, even if I went, I wouldn't be quite sure what I was looking for. He you have any ideas I can probably test them out.
I don't know much about Macs but I doubt Firefox would keep any useful logs.
I presume he already has a virus scanner running. Surely, if it happens to him again, but on another server, he should do something about it. That's probably all you can suggest to him.
I think all you can do on your side in response to what happened is to ensure it wasn't something wrong with your code (as Stephen said yesterday).
My roomate and I once setup a monitor that looked a criterion.com once and hour to see if the home page changed (it was basically just a diff) and then it would email us if something changed. They banned our IP and we could never get it unblocked.
...
I did setup a slightly ghetto solution that does do something sort of like that. Sends a warning when it gets busy, but at that point it's basically already too late seeing as the whole thing happens in a matter of seconds. I guess it's more like a message telling us to restart the service because it's about to go down. I'm looking for a more resilient solution.
I guess you have to dig around to see what major government and business web sites do to handle DoS attacks.
Besides adding a firewall to screen accesses, one simple idea is to do emulate what criterion.com did to you -- create a script that looks at the accesses (directly in the access.log or through other means) via a cronjob and block an IP address if the number of hits in a minute is too many. You're going to have to play around with the parameters, but you now have a situation where it has happened -- so you can use that as the basis of deciding what threshold to set (i.e., the numbers accesses/minute or the rate of growth of the access.log file in bytes). I guess you can extract the IP address and block it automatically...perhaps. :-)
I guess someone has developed a library to do this...sorry, I don't know of one...
Ray
- References:
- [tlug] Monkey vs Apache!!! Fight!
- From: Sach Jobb
- Re: [tlug] Monkey vs Apache!!! Fight!
- From: Raymond Wan
- Re: [tlug] Monkey vs Apache!!! Fight!
- From: Sach Jobb
- [tlug] Monkey vs Apache!!! Fight!
- Prev by Date: [tlug] April meeting cancellation & speakers for May meeting
- Next by Date: Re: [tlug] Monkey vs Apache!!! Fight!
- Previous by thread: Re: [tlug] Monkey vs Apache!!! Fight!
- Next by thread: [tlug] April meeting cancellation & speakers for May meeting
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |