* * * * *
Oh, so they were used after all
So apparently the sites where in actual use [1], hence the query for which
site was under attack [2]. Also, it turned out that the traffic spike I saw
might not have been an actual SYN attack [3], but instead legitimate traffic.
It seems that the company that owns the sites have a domain that has nothing
but advertising banners for gambling sites (since that's what they do) for
which they bought advertising space on a bunch of porn sites (I'm sure on the
theory of “in for a penny, in for a pound” but in this case, “in for a vice,
in for a whole slew of vices”) and it caught our server unaware.
It's not like the server can't handle the load, but that Apache [4] wasn't
configured for such a spike in traffic. Now that I've tweaked the operating
system (Linux):
> sysctl -w net.ipv4.tcp_syncookies=1
> sysctl -w net.ipv4.tcp_max_syn_backlog=2048
> sysctl -w net.ipv4.tcp_syn_retries=2
>
But also tweaked KeepAliveTimeout [5], MinSpareServers [6], MaxSpareServers
[7], StartServers [8] and MaxClients [9] in the Apache configuration (doubled
each except for KeepAliveTimeout which I decreased) the server is having no
problem keeping up with the traffice (I also copied the site to the second
server and round-robinning requests between the two).
[1]
gopher://gopher.conman.org/0Phlog:2005/08/08.3
[2]
gopher://gopher.conman.org/0Phlog:2005/08/10.1
[3]
gopher://gopher.conman.org/0Phlog:2004/01/04.2
[4]
http://httpd.apache.org/
[5]
http://httpd.apache.org/docs/1.3/mod/core.html#keepalivetimeout
[6]
http://httpd.apache.org/docs/1.3/mod/core.html#minspareservers
[7]
http://httpd.apache.org/docs/1.3/mod/core.html#maxspareservers
[8]
http://httpd.apache.org/docs/1.3/mod/core.html#startservers
[9]
http://httpd.apache.org/docs/1.3/mod/core.html#maxclients
Email author at
[email protected]
