DDoS Attack Log Analysis Question

Jim Ohlstein jim at ohlste.in
Sat Oct 10 18:12:45 MSD 2009


Maxim Dounin wrote:
> Hello!
> 
> On Fri, Oct 09, 2009 at 07:40:57PM -0400, Jim Ohlstein wrote:
> 
>> The nginx forum had a DDoS attack which took the site down this
>> morning.  In approximately 23 seconds there were just under 900,000
>> lines in the error log that looked like:
>>
>> 2009/10/09 10:21:38 [alert] 32576#0: accept() failed (24: Too many
>> open files)
>>
>> First question is do each of these entries represent an attempted
>> connection?
> 
> No.  This is configuration issue lead to infinite loop which can't 
> be resolved until more files can be opened.

Thank you. I found it hard to imagine that there were that many requests 
in such a small period directed at such a small site.

> 
> Since this looks like common configuration issue, probably we need 
> some accept pause in such situations...
> 
> Maxim Dounin
> 


-- 
Jim Ohlstein





More information about the nginx mailing list