DDoS Attack Log Analysis Question
Jim Ohlstein
jim at ohlste.in
Sat Oct 10 03:40:57 MSD 2009
The nginx forum had a DDoS attack which took the site down this morning.
In approximately 23 seconds there were just under 900,000 lines in the
error log that looked like:
2009/10/09 10:21:38 [alert] 32576#0: accept() failed (24: Too many open
files)
First question is do each of these entries represent an attempted
connection?
Looking at the access log there were thousands of requests for the same
page from roughly 400 IP's in that same 23 second span like this:
58.53.85.229 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 5.1)"
60.177.29.231 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 5.1)"
125.91.207.11 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.0
(compatible; MSIE 6.0; Windows 5.1)"
125.119.65.194 - - [09/Oct/2009:10:21:38 -0400] "GET /list.php?2,page=1
HTTP/1.1" 500 553 "http://forum.nginx.org" "Mozilla/4.
0 (compatible; MSIE 6.0; Windows 5.1)"
All of the IP's that I checked were legitimate IP's that localize to
various regions in China.
I have set up limit_zone and limit_conn directives to hopefully mitigate
this in the future.
Second question is where to set limit_conn and what are the effects on
users if set low? The site generally responds quickly, at least here in
the US, and I don't want it to be especially sluggish for people using
less fast connections in other parts of the world, but of course I want
to reduce the chances of this happening again. Bear in mind this is a
low traffic site (16K visits in the last month) on a small VPS.
Any advice would be appreciated.
--
Jim Ohlstein
More information about the nginx
mailing list