Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Large HTTP flood
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Large HTTP flood

RobertClarkeRobertClarke Member, Host Rep
edited March 2013 in General

http://robrt.co/Yn1GmS

Just under 100 million "pageviews" in the last few hours according to Cloudflare. Apache is currently pushing 997 requests a second. Running Cloudflare railgun on the site, but it's just not holding up.

Any advice to keep the site up without breaking the bank is much appreciated. To confirm, this is an actual attack on the website craftstats.com, not a lage amount of legit traffic.

«1

Comments

  • Someone is probably disliking your services. Have you looked at the main ones? GigeNet, black lotus and such?

  • RobertClarkeRobertClarke Member, Host Rep
    edited March 2013

    @blergh_ Site doesn't make enough for that to be worth it, but it does make enough to make Cloudflare business worth while.
    @Jack Yes.

  • @RobertClarke in ServerCrate the 4GB plan says: "1 IP ADDRESSES INCL"

  • @RobertClarke i have been following what seems to be a higher than normal level of recon and other bot net activity lately .. keep up to date on auto shun and others, you are not alone!

  • joepie91joepie91 Member, Patron Provider

    Generally you can expect Cloudflare to start detecting and mitigating HTTP floods in roughly 6-24 hours from when they start, at least in my experience. It might very well solve itself that way.

  • @joepie91 i like their approach too, why I will always offer to *invest in a good host, +1 for infrastructure!

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    What's your budget for this. I might have something for you, however it would exceed the LEB limits.

  • CoreyCorey Member

    @RobertClarke said: Apache is currently pushing 997 requests a second.

    Guessing apache is overloaded because when I try to visit I get Error 324 (net::ERR_EMPTY_RESPONSE): The server closed the connection without sending any data, and cloudflare doesn't seem to be doing much good at this point in time :( sorry about your issues.

  • RobertClarkeRobertClarke Member, Host Rep

    @Alex_LiquidHost What is it?

  • CoreyCorey Member

    @Jack said: I can access it fine...

    Weird

  • AlexBarakovAlexBarakov Patron Provider, Veteran

    Nah, it is not based on LBs. On the other side it is still in early beta, been writing a WAF for myself for some time now, I might get something finished the following couple of days and will hit you up if you are still under attack.

    Anyway, why apache, change to nginx and see how it goes. Also tweaking the apache itself and isntalling a couple of mods can help deal with some basic http floods tht otherwise would have taken down the box.

  • Awmusic12635Awmusic12635 Member, Host Rep

    A nginx + apache combo may hold up better against the requests and if you are using cPanel it is easy to setup.

    nginx admin

  • perennateperennate Member, Host Rep
    edited March 2013

    mod_evasive if they're from a limited number of IP addresses.
    Edit: and also iptables limit number of connections per IP

  • Or throw up Varnish in front of Apache instead. Less configuration.

  • RalliasRallias Member
    edited March 2013

    I've got a 5 letter word for you.

    NGINX

    Also, look in the logs. Usually the attack has a very specific pattern that you can use to safely block the attack, such as POST to / from www.google.com (invalid and impossible request).

    @perennate said: Edit: and also iptables limit number of connections per IP

    He's using cloudflare.

  • raindog308raindog308 Administrator, Veteran

    Apache+Nginx...why not just nginx?

    php-fpm if you need it.

  • Awmusic12635Awmusic12635 Member, Host Rep

    @raindog308 easy drop in replacement. Takes seconds.

  • perennateperennate Member, Host Rep

    @Rallias said: He's using cloudflare.

    You're getting flood through CloudFlare?

  • It may be worth trying nginx.

  • At the very least put Varnish in front of Apache

  • jarjar Patron Provider, Top Host, Veteran

    Unplug it.

  • RobertClarkeRobertClarke Member, Host Rep

    Trying some new stuff, not saying exactly what we're trying, as we still have no idea who the attacker is (botnet), but it should be better than what's on there now.

  • @RobertClarke Have you tried working with the DC / CloudFlare to see if you can get the offenders' IPs? Or are the all spoofed?

  • As for me, is interesting, how much RAM eat apache to do 900+R/Second;

    I have experience with ~ same, but my numbers was ~ same;
    What i was use?

    sysctl.conf - configure your tcp-window, other options for high load;
    NGINX + FastCGI only, AND ONLY! + good NINGX config = make your site not dead (with same hardware what userd for apache) and under 10000 request/s; (caching help a lot);
    caching save our word.

    I am done.

  • Quickest and simplest way is to do Varnish in front, and then you can use the varnishlog to see the url patterns and begin blocking them.

  • SunshineSunshine Member
    edited March 2013

    @tortau said: Or throw up Varnish in front of Apache instead. Less configuration.

    @nickvanw said: At the very least put Varnish in front of Apache

    @FRCorey said: Quickest and simplest way is to do Varnish in front, and then you can use the varnishlog to see the url patterns and begin blocking them.

    +1 Varnish.

    Nginx and PHP-FPM are awesome, but takes some configuration.

    Varnish, on the other hand, is very easy to add in front of Apache. Takes 5-10 minutes of your time. Make sure things are hitting the cache (varnishstat command) and you should be able to handle 1000 req/s.

    If you can recognize and collect a list of the offending IPs, then you can use curl against Cloudflare's API to block them on their end.

  • ddos.sh with apf will knock down floods pretty quick.

  • JacobJacob Member
    edited March 2013
    • snip, snip -

    /removed

  • RobertClarkeRobertClarke Member, Host Rep

    Switched to a BuyVM filtered IP, took 20gbit, IP got nullrouted. Now we're back searching for a solution.

  • Get a server at awknet or somewhere serious?

Sign In or Register to comment.