[Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET

Bernie Innocenti bernie at codewiz.org
Thu Feb 25 03:55:47 EST 2016

Previous message: [Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET
Next message: [Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Who do the source IPs belong to?

I suspect that shady SEO companies which previously added spam links to wikis are now trying to clear the reputation of their customers by DoSing the sites on which they cannot delete the links any more. The trend changed because Google now *demotes* sites for having link spam.

If there are only few IPs, just plonk them with a temporary iptables rule. When playing with iptables, don't try random things, it's very easy to make the host unreachable.

On February 24, 2016 11:52:14 PM PST, Sebastian Silva <sebastian at fuentelibre.org> wrote:
>Hi,
>This morning we're past 150 active connections.
>
>   103-1 8274 0/10/10    _ 0.82  29  2016   0.0   0.07  0.07  
>2001:4830:134:7::11             wiki.sugarlabs.org:80       POST
>/index.php?title=Special%3ARunJobs&tasks=jobs&maxjobs=1&si             
>              
>
>
>From the log that bernie left in /root/apache-status, I see a bunch of
>connections such as the one above.
>
>I've read a little about RunJobs and it is suggested a change in config
>can make this process less expensive:
>https://www.mediawiki.org/wiki/Manual:Job_queue#Performance_issue
>
>However it looks like its triggering is an attempted Denial Of
>Service...
>
>Regards,
>Sebastian
>
>
>On 18/02/16 01:43, Bernie Innocenti wrote:
>> Seems to work now.
>>
>> Our webserver often ends up in a state in which all 150 processes are
>> sleeping without much going on.
>>
>> Last time I saw it, there were plenty of connections from some shady
>SEO
>> company (ahrefs.com). It very much looked like a DDoS, so I just
>> blackholed their entire subnet with iptables.
>>
>> Not sure how to stop these in a more generalized way. Maybe we could
>> rate-limit connections per-IP using iptables, or find an anti-DDoS
>> Apache module.
>>
>> On 02/17/2016 11:58 PM, James Cameron wrote:
>>> wiki.sugarlabs.org and activities.sugarlabs.org are accepting
>>> connections but not responding to HTTP GET requests.
>>>
>>> quozl at sunjammer:~$ wget http://wiki.sugarlabs.org/
>>> --2016-02-17 23:57:43--  http://wiki.sugarlabs.org/
>>> Resolving wiki.sugarlabs.org (wiki.sugarlabs.org)...
>2001:4830:134:7::11, 208.118.235.53
>>> Connecting to wiki.sugarlabs.org
>(wiki.sugarlabs.org)|2001:4830:134:7::11|:80... connected.
>>> HTTP request sent, awaiting response... ^C
>>> 130!quozl at sunjammer:~$ 
>>>
>>
>
>-- 
>I+D SomosAzucar.Org
>"icarito" #somosazucar en Freenode IRC
>"Nadie libera a nadie, nadie se libera solo. Los seres humanos se
>liberan en comunión" - P. Freire

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/archive/systems/attachments/20160225/e4c3a0c5/attachment.html>

Previous message: [Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET
Next message: [Systems] {wiki, activities}.sugarlabs.org dead, no response to HTTP GET
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Systems mailing list