« The Knucklehead of the Day award | Main | Where Have You Gone, Mary Mapes? A Nation Turns Its Lonely Eyes To You »
This morning we got hit by a very large botnet attack. In the process of restoring access to the server I was able to identify nearly all the attacking hosts (~50) and prevent them from ever accessing the site again.
Service is back to normal.
Permalink | Linking Blogs | Sphere: Related Content | Digg this! | FARK It!
Filed under:
Site News
TrackBack URL for this entry:
/cgi-bin/mt-tb.cgi/28946.
Send e-mail tips to us:
Get Wizbang in your inbox by submitting your email address below.
Section Editor: Maggie Whitton
Editors: Jay Tea, Lorie Byrd, Kim Priestap, DJ Drummond, Michael Laprarie, Baron Von Ottomatic, Shawn Mallow, Rick, Dan Karipides, Michael Avitablile, Charlie Quidnunc, Steve Schippert
Emeritus: Paul, Mary Katherine Ham, Jim Addison, Alexander K. McClure, Cassy Fiano, Bill Jempty, John Stansbury, Rob Port
In Memorium: HughS
All original content copyright © 2003-2010 by Wizbang®, LLC. All rights reserved. Wizbang® is a registered service mark.
Powered by Movable Type Pro 4.361
Hosting by ServInt
Ratings on this site are powered by the Ajax Ratings Pro plugin for Movable Type.
Search on this site is powered by the FastSearch plugin for Movable Type.
Blogrolls on this site are powered by the MT-Blogroll.
Temporary site design is based on Cutline and Cutline for MT. Graphics by Apothegm Designs.
Comments (10)
Interesting, how long was t... (Below threshold)1. Posted by Amir | April 2, 2008 12:56 PM | Score: 2 (2 votes cast)
Interesting, how long was the attack?
seems that 50 bots is pretty small number for a botnet, don't you think?
Amir
1. Posted by Amir | April 2, 2008 12:56 PM |
Score: 2 (2 votes cast)
Posted on April 2, 2008 12:56
2. Posted by Kevin | April 2, 2008 2:00 PM | Score: 1 (1 votes cast)
There could have been more that's just how many I caught in a snapshot, but it was a very target trackback storm. They were trying to post to dynamic pages (most of the site is static) that had nowhere on them to post. Each address was making 10-20 connections so that coupled with the errors they were generating - I guess - was bogging down Apache by using up server memory. Blocking their access fixed that right away, it just took a little while to make the change due to the server slowdown.
2. Posted by Kevin | April 2, 2008 2:00 PM |
Score: 1 (1 votes cast)
Posted on April 2, 2008 14:00
3. Posted by Maggie | April 2, 2008 2:43 PM | Score: 0 (0 votes cast)
You need a bigger fly swatter Kevin. LOL
3. Posted by Maggie | April 2, 2008 2:43 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 14:43
4. Posted by epador | April 2, 2008 2:52 PM | Score: 0 (0 votes cast)
Isn't it great to know you are loved so much and worth the effort to attack? Beware, with a relatively small attack, it could just have been a probe.
Keep up the good work.
4. Posted by epador | April 2, 2008 2:52 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 14:52
5. Posted by DJ Drummond | April 2, 2008 2:59 PM | Score: 0 (0 votes cast)
Dang cylons!
5. Posted by DJ Drummond | April 2, 2008 2:59 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 14:59
6. Posted by Paul | April 2, 2008 3:30 PM | Score: 0 (0 votes cast)
It was a bad day all round... I had 3 servers get fairly serious attacks yesterday... Guess the morons where bored or something.
6. Posted by Paul | April 2, 2008 3:30 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 15:30
7. Posted by Paul | April 2, 2008 3:39 PM | Score: 0 (0 votes cast)
Amir, you might also consider something else....
While 50 machines might not seem like a lot to a site the size of Wizbang remember the rest of the load does not magically go away....
The server may very well be able to handle the attack -in a vacuum- but server admins aren't in the habit of leaving 10X the resources needed for a site sitting idle. It still has to do its regular job.
Now add the fact the base server load INCREASES during an attack... Why?
Amir, hits Wizbang and it doesn't load right. So he hits reload. Then he waits a while and gets impatient waiting on the browser, so he hits reload again.
Now the average load on the server just went up 300% over the usual base. On a site that gets 50,000 hits a day now that number when to 150,000...
And then there is the botnet attack.
Things can get out of control quickly.
7. Posted by Paul | April 2, 2008 3:39 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 15:39
8. Posted by Knightbrigade | April 2, 2008 6:23 PM | Score: 0 (0 votes cast)
I hope the day comes when John Q public can locate exactly where a hacker is, and perform creative justice.
8. Posted by Knightbrigade | April 2, 2008 6:23 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 18:23
9. Posted by Mike | April 2, 2008 11:22 PM | Score: 0 (0 votes cast)
Yes Knightbridge. The famous incident with the Russian spammer is absolutely appropriate.
9. Posted by Mike | April 2, 2008 11:22 PM |
Score: 0 (0 votes cast)
Posted on April 2, 2008 23:22
10. Posted by ijosha | April 3, 2008 2:19 AM | Score: 0 (0 votes cast)
If you are talking about the spammer story from late last year -- wasn't that a hoax?
10. Posted by ijosha | April 3, 2008 2:19 AM |
Score: 0 (0 votes cast)
Posted on April 3, 2008 02:19