Welcome! Log In Create A New Profile

Re: DDoS Attack Log Analysis Question

Forum List Message List New Topic Print View

Jim Ohlstein

October 09, 2009 11:48PM

Admin
Registered: 15 years ago
Posts: 574

Chris Zimmerman wrote:
> Need a larger vps? Lol

I don't really think so. Not for 500 visitors/day. It rarely uses even
half the allotted RAM and loads are generally low. If I recall correctly
two months ago we only had ~10,000 visitors so there is some growth but
I don't anticipate it outgrowing its present confines any time soon. I
added access to the Russian mailing list last month and that has
seemingly attracted more visitors to the site from Russia and Ukraine,
and to a lesser extent from the Baltic nations, Belarus, and Kazakhstan.

> If it's virtuozzo (perhaps Xen though I don't have a lot of experience
> that that) your going to hit open file limits put on the instance as
> well. Even with sophisticated software based firewalls you can hit
> arbitrary iptable entry limits as well.

It's a Virtuozzo VPS. I own the node so I can set the limits any way I
like. I could make the VPS huge (the node has A LOT of RAM) but there
seems little point. The volume does not justify it.

>
> csf has a portflood feature that works fairly well that uses the
> ipt_recent module
> or there are connection based monitors such as dos-deflate for
> firewalling ip's that reach connection thresholds.

This was a few hundred IP's at least in a 23 second period. The site was
evidently unresponsive from the first second of the attack (given the
500 responses) and dead at 23 seconds. I'm not sure that all of the
requests got logged before nginx was killed. How quickly do those tools
respond? I have a basic firewall installed and did not consider this
site likely to generate a DoS attack. It's hardly controversial. :p

>
> Though really you connection limit was probably the biggest issue. I
> could see nginx handling simple requests like that no sweat if you have
> caching enabled.

I've added connection limits. Not going to publish the number but it's low.

I'm still curious if each of those lines in the error log represented
one request. If so, almost 900,000 logged requests in less than half a
minute was an atomic bomb for this little ant-sized server.

--
Jim Ohlstein

Reply Quote

RSS

Subject	Author	Posted
DDoS Attack Log Analysis Question	Jim Ohlstein	October 09, 2009 07:48PM
Re: DDoS Attack Log Analysis Question	Payam Chychi	October 09, 2009 09:34PM
Re: DDoS Attack Log Analysis Question	Jim Ohlstein	October 09, 2009 10:50PM
Re: DDoS Attack Log Analysis Question	Chris Zimmerman	October 09, 2009 11:06PM
Re: DDoS Attack Log Analysis Question	Glen Lumanau	October 09, 2009 11:16PM
Re: DDoS Attack Log Analysis Question	Jim Ohlstein	October 09, 2009 11:48PM
Re: DDoS Attack Log Analysis Question	Maxim Dounin	October 10, 2009 06:10AM
Re: DDoS Attack Log Analysis Question	Jim Ohlstein	October 10, 2009 10:18AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 157

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018