DDoS Attack Log Analysis Question
jim at ohlste.in
Sat Oct 10 07:44:08 MSD 2009
Chris Zimmerman wrote:
> Need a larger vps? Lol
I don't really think so. Not for 500 visitors/day. It rarely uses even
half the allotted RAM and loads are generally low. If I recall correctly
two months ago we only had ~10,000 visitors so there is some growth but
I don't anticipate it outgrowing its present confines any time soon. I
added access to the Russian mailing list last month and that has
seemingly attracted more visitors to the site from Russia and Ukraine,
and to a lesser extent from the Baltic nations, Belarus, and Kazakhstan.
> If it's virtuozzo (perhaps Xen though I don't have a lot of experience
> that that) your going to hit open file limits put on the instance as
> well. Even with sophisticated software based firewalls you can hit
> arbitrary iptable entry limits as well.
It's a Virtuozzo VPS. I own the node so I can set the limits any way I
like. I could make the VPS huge (the node has A LOT of RAM) but there
seems little point. The volume does not justify it.
> csf has a portflood feature that works fairly well that uses the
> ipt_recent module
> or there are connection based monitors such as dos-deflate for
> firewalling ip's that reach connection thresholds.
This was a few hundred IP's at least in a 23 second period. The site was
evidently unresponsive from the first second of the attack (given the
500 responses) and dead at 23 seconds. I'm not sure that all of the
requests got logged before nginx was killed. How quickly do those tools
respond? I have a basic firewall installed and did not consider this
site likely to generate a DoS attack. It's hardly controversial. :p
> Though really you connection limit was probably the biggest issue. I
> could see nginx handling simple requests like that no sweat if you have
> caching enabled.
I've added connection limits. Not going to publish the number but it's low.
I'm still curious if each of those lines in the error log represented
one request. If so, almost 900,000 logged requests in less than half a
minute was an atomic bomb for this little ant-sized server.
More information about the nginx