Since 4 a.m. Friday, a computer at a Swedish IT company made more than 1.5 million web requests to my web site URouLette, which links to random web pages stored in a MySQL database. They're coming in at a speed of 38 requests a second. My MySQL database server can't handle that many requests, so by Friday afternoon Workbench and a bunch of other sites slowed to a crawl as the web server began belching black smoke. A massive crash was imminent.

The last time somebody did this, I used the Linux utility iptables to reject all connections from the offending IP address, which solved the problem easy peasy lemon squeezy. This time around, iptables failed with a "Can't open dependencies file" error.

My new friend in Sweden appears to be building a database of web addresses by requesting a URouLette script that loads a random web page over and over. This is both obnoxious and dumb -- all links on URouLette come from the Open Directory Project and can be downloaded in one file. I've reduced the severity of the problem by sending the same link with every request -- the company's home page.

Flooding a web server with this many requests constitutes a denial of service attack. In the time I've composed this blog entry, another 100,000 requests have been made. Ironically, an employee of the company blogged recently that it was suffering its own attack, though on a much larger scale:

Tens of thousands of machines on the internet suddenly started trying to access a single host within the network. The IP they targeted has in fact never been publicly used as long as we've owned it (which is just a bit under two years) and it has never had any public services.

We have no clue whatsoever why someone would do this against us. We don’t have any particular services that anyone would gain anything by killing. We're just very puzzled.

Our "ISP", the guys we buy bandwidth and related services from, said they used up about 1 gigabit/sec worth of bandwidth and with our "mere" 10megabit/sec connection it was of course impossible to offer any services while this was going on.

This is a good time to mention that I never liked Bjorn Borg.

-- Rogers Cadenhead

Comments

Once you get iptables working, you might want to consider tarpitting the source instead of just dropping traffic. Tarpitting consumes resources on the attacker's end and should slow them down.

iptables -t raw -A PREROUTING -p tcp -s bad.guys.ip.addr -j NOTRACK

iptables -I 1 INPUT -p tcp -s bad.guys.ip.addr -j TARPIT

(The NOTRACK rule prevents your own system from allocating resources unnecessarily.) If the traffic is coming from multiple source IPs, the address can also be a CIDR network range, e.g. 10.99.99.0/24.

Of course, if you can get in touch with the operator of the network in question and get them to behave, this won't be necessary.


 

so what was up with the iptables error, I've never had anything like that from it...


 

On the specific error, you might try running "depmod" to rebuild the kernel module dependencies file, but without knowing your specific setup it's hard to tell whether this is likely to help or not.


 

I haven't found the cause yet -- it's some kind of conflict between the current kernel on the server and iptables.


 

Maybe Rogers doesn't like Bjorn Borg but I know firsthand that he is gaa gaa over Abba. By the way Rogers you owe me a phone call, email or a million dollars - your choice.


 

Email sent. I think I still have my 45 of "Take a Chance on Me." Take a chance take a chance.

rachelmarsden.files.wordpress.com


 

This is the explanation from the Swede responsible

daniel.haxx.se


 

You have one of the best web sites.
maglie calcio poco prezzo www.synchronizationofus.com


 

Sustain the outstanding work !! Lovin' it!


 

The posts is extremely significant.


 

I love this site - its so usefull and helpfull.
magliette calcio www.glivytech.com


 

I delight in the info on your web sites. Regards!
fotballdrakter barn www.nottheitgirls.com


 

Love the website-- extremely user friendly and great deals to see!
fotbollstr?jor barn www.tampabaygoodliving.com


 

Passion the website-- very individual pleasant and great deals to see!
fodboldtr?jer www.zamanthajoeh.com


 

You have got among the best webpages.
fotballdrakter barn www.travelstobhutan.com


 

You've one of the best online websites.
maglie del calcio www.doralcentermall.com


 

You've gotten impressive info here.


 

Great looking web site. Presume you did a lot of your own coding.
Maglie Calcio a poco prezzo www.niveauradio.com


 

We stumbled over here different website and thought I might check things out. I like what I see so i am just following you. Look forward to finding out about your web page yet again.
stitch onesie for adults irmakristin.blogmaster.net


 

You have one of the better online websites.
Juventus Tr?jer www.shannonmdrealty.com


 

Passion the site-- very user pleasant and whole lots to see!
Napoli Tr?jor www.fashionradicalsnews.com


 

Wow, lovely website. Thnx ...
Atletico Madrid Drakt www.socalhardwoodflooring.com


 

You've good info right.


 

Thanks, this website is extremely handy.
Maglia Bayern Munchen Poco Prezzo www.zeropartypolitics.com


 

Passion the website-- really user pleasant and lots to see!
Napoli Tr?jor www.bettermensolutions.com


 

Thank you! This is definitely an good web site.
Bayern Munchen Tr?jer www.asleftasfound.com


 

I love this site - its so usefull and helpfull.
Manchester City Drakt www.mydescubrimientos.com


 

I just could not go away your website prior to suggesting that I extremely enjoyed the standard info a person provide for your guests? Is gonna be again ceaselessly in order to check up on new posts
Olivia Hark www.rangerraptorthailand.com


 

Add a Comment

These HTML tags are permitted: p, b, i, a, and blockquote. A comment may not include more than three links. Participants in this discussion should note the site's moderation policy.