[svlug] someone is hammering my webserver

Scott Hess scott at doubleu.com
Mon Jan 28 10:59:33 PST 2008


My general experience is that for every case where a redirect to a
"funny" place generates a win, there are 10 other cases where it
generates a non-win.  It's like when a telemarketer calls.  You can
spend five minutes messing with their heads, but compared to "no thank
you" and a hangup, you still just wasted five minutes of your life!  I
think simply blackholing them and moving on is really a stronger
solution.

Suggest doing a DROP rather than a REJECT.  The DROP case should leave
them squelched at the level of their TCP stack, with exponential
backoff, sort of like teergrubbing, while the REJECT case might
actually result in a higher incoming packet load because they'll move
on to the next connection immediately.

-scott


On Jan 28, 2008 10:39 AM, Bill Teeple <bill at teeple.tv> wrote:
> Drop it using IPTABLES - just issue the IPTABLES command - drop the
> packet for port 80 and they won't get any more responses from your site
> and your system will be better off. (or whatever firewall you employ)
>
> I don't know about redirecting... my two cents.
>
> Bill
>
>
> On Mon, 2008-01-28 at 10:31 -0800, Larry Colen wrote:
> > On Mon, Jan 28, 2008 at 10:28:20AM -0800, Jeff Shippen wrote:
> > # looks like it is all from the same IP, which you can block, or even better,
> > # redirect their request to 127.0.0.1.
> >
> > Yup, another 80,000 hits since I sent the last message:
> > red4est:/var/log/apache# grep 83.156.199.176 access.log* | wc
> >  530090 11660614 103915191
> >
> >
>
>
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>




More information about the svlug mailing list