DDoS Attack Log Analysis Question

Maxim Dounin mdounin at mdounin.ru
Sat Oct 10 14:00:47 MSD 2009


On Fri, Oct 09, 2009 at 07:40:57PM -0400, Jim Ohlstein wrote:

> The nginx forum had a DDoS attack which took the site down this
> morning.  In approximately 23 seconds there were just under 900,000
> lines in the error log that looked like:
> 2009/10/09 10:21:38 [alert] 32576#0: accept() failed (24: Too many
> open files)
> First question is do each of these entries represent an attempted
> connection?

No.  This is configuration issue lead to infinite loop which can't 
be resolved until more files can be opened.

Since this looks like common configuration issue, probably we need 
some accept pause in such situations...

Maxim Dounin

More information about the nginx mailing list