DDoS Attack Log Analysis Question

Jim Ohlstein jim at ohlste.in
Sat Oct 10 07:44:08 MSD 2009 

Chris Zimmerman wrote:
> Need a larger vps? Lol    

I don't really think so. Not for 500 visitors/day. It rarely uses even 
half the allotted RAM and loads are generally low. If I recall correctly 
two months ago we only had ~10,000 visitors so there is some growth but 
I don't anticipate it outgrowing its present confines any time soon. I 
added access to the Russian mailing list last month and that has 
seemingly attracted more visitors to the site from Russia and Ukraine, 
and to a lesser extent from the Baltic nations, Belarus, and Kazakhstan.

> If it's virtuozzo (perhaps Xen though I don't have a lot of experience 
> that that) your going to hit open file limits put on the instance as 
> well. Even with sophisticated software based firewalls you can hit 
> arbitrary iptable entry limits as well.

It's a Virtuozzo VPS. I own the node so I can set the limits any way I 
like. I could make the VPS huge (the node has A LOT of RAM) but there 
seems little point. The volume does not justify it.

> 
> csf has a portflood feature that works fairly well that uses the 
> ipt_recent module
> or there are connection based  monitors such as dos-deflate for 
> firewalling ip's that reach connection thresholds.

This was a few hundred IP's at least in a 23 second period. The site was 
evidently unresponsive from the first second of the attack (given the 
500 responses) and dead at 23 seconds. I'm not sure that all of the 
requests got logged before nginx was killed. How quickly do those tools 
respond? I have a basic firewall installed and did not consider this 
site likely to generate a DoS attack. It's hardly controversial. :p

> 
> Though really you connection limit was probably the biggest issue. I 
> could see nginx handling simple requests like that no sweat if you have 
> caching enabled.

I've added connection limits. Not going to publish the number but it's low.

I'm still curious if each of those lines in the error log represented 
one request. If so, almost 900,000 logged requests in less than half a 
minute was an atomic bomb for this little ant-sized server.

-- 
Jim Ohlstein

More information about the nginx mailing list