who's DDOSing the web server?
- From: Steve VanDevender <stevev@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: 27 Sep 2005 22:48:08 -0700
It's the first week of classes here. Somehow, our sniversity created a
"task force" (really, that's what it says on the "Welcome to the new
Sniversity Home Page" page) to create a new web page design which they
decreed should be deployed on the first day of classes. We did get some
advance notice of this specific deployment date. It was given last
Friday, before the start of classes on Monday; before that, there were a
few weeks of hints it was coming "real soon now" and a URL was handed
out for the design prototype so I guess you can't say we weren't warned.
As I found out in a meeting this morning, not only do I hate it,
everyone else hates it to. Oh do they hate it. Our consultants have
been getting a steady stream of phone calls from people who hate it, and
referring the people who want to escalate their hate to some selected
members of the "task force". Two of my student friends have said to me
"what's up with this new web page? I hate it!" The main reason people
hate it is that in the old design, there were links on the main page to
the two things they really wanted to find, and apparently can't be arsed
to bookmark separately: the webmail system and a courseware system too
vile to name here. These two immensely popular items have been
carefully hidden in subpages of the new design. So it's a really big
hit.
Speaking of big hits, I hate it because the designers sprinkled
server-side includes through the top-level pages, thereby making it much
less efficient to serve up the content. The stuff they're including is
mainly static page elements, with some other content that really
changes, oh, once a day or so. I was blaming this for why the web
server was getting the crap beaten out of it Monday, but I now think
that theory is probably wrong.
This afternoon some random IP in Australia seemed to be conducting a
classic SYN-flood DOS attack against us, and quite effectively.
Fortunately it went away before we had to resort to blocking it
outright. But in the process I also noticed that the web server was now
pushing a stunning 250 hits/sec and over 5 megabytes/sec. It was
pushing this due to loads of three particular objects over and over
again from lots of random clients. Had our DOSer decided to go DDOS on
us and script up something through lots of proxies?
Well, the web server has been maintaining this impressive performance
all evening. And I got curious and looked some more.
What are those three objects it's accessing? Funny, none of the HTML
refers to it. But there is is a glorious new Flush animation as a
centerpiece to the new design. And looking at these three specific
objects, one is a list of URLs that clicking on the Flush in the right
places at the right times will take you to, and the others are some
graphic elements used at the start of the animation. Uh oh.
And look, each one in a sample of clients who are most aggressively
reloading those things can be seen from the server logs to load the
Flush object right before going into a loop sucking in those other three
objects over and over and over again.
I'm guessing the suspected SYN-flooder just had a stupid packet filter
that let his SYNs out but didn't let the ACKs back in, and also hit the
Flush bug. And it's also pretty clear that this new random assortment
of IPs banging away on us are those of our own real users.
Who's DDOSing the web server? Our own users are, with a DDOS tool
handily provided by our own web design "task force" on our own main web
page!
--
Steve VanDevender "I ride the big iron" http://hexadecimal.uoregon.edu/
stevev@xxxxxxxxxxxxxxxxxxxxxxx PGP keyprint 4AD7AF61F0B9DE87 522902969C0A7EE8
Little things break, circuitry burns / Time flies while my little world turns
Every day comes, every day goes / 100 years and nobody shows -- Happy Rhodes
.
- Prev by Date: Re: Recovery by Unrecovery?
- Next by Date: Re: The things people build out of PVC nowadays...
- Previous by thread: Unrecovery by female...
- Next by thread: Some people are alive, only because it is illegal to kill them.
- Index(es):
Relevant Pages
|
