DDoS Attack Log Analysis Question

Jim Ohlstein jim at ohlste.in
Sat Oct 10 06:45:18 MSD 2009 

Payam Chychi wrote:
> On Fri, Oct 9, 2009 at 4:40 PM, Jim Ohlstein <jim at ohlste.in> wrote:
>> The nginx forum had a DDoS attack which took the site down this morning.  In
>> approximately 23 seconds there were just under 900,000 lines in the error
>> log that looked like:
>>
>> 2009/10/09 10:21:38 [alert] 32576#0: accept() failed (24: Too many open
>> files)
>>
>> First question is do each of these entries represent an attempted
>> connection?
>>
>>
>> Looking at the access log there were thousands of requests for the same page
>> from roughly 400 IP's in that same 23 second span like this:
>>
>> 58.53.85.229 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
>> HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
>> (compatible; MSIE 6.0; Windows 5.1)"
>> 60.177.29.231 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
>> HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
>>  (compatible; MSIE 6.0; Windows 5.1)"
>> 125.91.207.11 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
>> HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
>>  (compatible; MSIE 6.0; Windows 5.1)"
>> 125.119.65.194 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
>> HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.
>> 0 (compatible; MSIE 6.0; Windows 5.1)"
>>
>>
>> All of the IP's that I checked were legitimate IP's that localize to various
>> regions in China.
>>
>> I have set up limit_zone and limit_conn directives to hopefully mitigate
>> this in the future.
>>
>> Second question is where to set limit_conn and what are the effects on users
>> if set low? The site generally responds quickly, at least here in the US,
>> and I don't want it to be especially sluggish for people using less fast
>> connections in other parts of the world, but of course I want to reduce the
>> chances of this happening again. Bear in mind this is a low traffic site
>> (16K visits in the last month) on a small VPS.
>>
>> Any advice would be appreciated.
>>
>> --
>> Jim Ohlstein
>>
>>
> 
> Jim,
> 
> Your main issue is going ot be the system 'open files' setting,  can
> you show me the output of the following please, run the command as
> room or the user that runs the nginx proc.  'ulimit -a'
> 
> by default linux sets this value to  which really means that you cant
> have more than 1024 file descriptors open on the system at one time.
> 
> You can modify this setting to safely allow up to 150,000 on a more
> resent dual cor box.
> 'ulimit -n 150000'

It's hardly a dual core box. :) It's a small VPS with 256 MB of RAM that 
has a great deal of room to spare. Once again, we only receive ~500 
visitors per day on average. Open files were set at 4096 which I 
*thought* would have been more than enough for the (one) nginx worker 
process max connections which is set at 1024. I have already increased 
the number to 32768. I'm not totally convinced that will do much in this 
situation given the intensity of the attack on such a small system. I 
would think that eventually some system resource would have given even 
if file descriptors had not run out, though I must admit that I have 
been fortunate not to have dealt with this much in the past.

> 
> try reading up on ulimit, its a huge for system performance, also make
> sure your not running any iptables connection tracking else you will
> need to fine tune those settings as well.
> 
> 


-- 
Jim Ohlstein

More information about the nginx mailing list