<html><head></head><body>Who do the source IPs belong to?<br>
<br>
I suspect that shady SEO companies which previously added spam links to wikis are now trying to clear the reputation of their customers by DoSing the sites on which they cannot delete the links any more. The trend changed because Google now *demotes* sites for having link spam.<br>
<br>
If there are only few IPs, just plonk them with a temporary iptables rule. When playing with iptables, don't try random things, it's very easy to make the host unreachable.<br><br><div class="gmail_quote">On February 24, 2016 11:52:14 PM PST, Sebastian Silva <sebastian@fuentelibre.org> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Hi,<br />This morning we're past 150 active connections.<br /><br /> 103-1 8274 0/10/10 _ 0.82 29 2016 0.0 0.07 0.07 <br />2001:4830:134:7::11 <a href="wiki.sugarlabs.org:80">wiki.sugarlabs.org:80</a> POST<br />/index.php?title=Special%3ARunJobs&tasks=jobs&maxjobs=1&si <br /><br /><br />From the log that bernie left in /root/apache-status, I see a bunch of<br />connections such as the one above.<br /><br />I've read a little about RunJobs and it is suggested a change in config<br />can make this process less expensive:<br /><a href="https://www.mediawiki.org/wiki/Manual:Job_queue#Performance_issue">https://www.mediawiki.org/wiki/Manual:Job_queue#Performance_issue</a><br /><br />However it looks like its triggering is an attempted Denial Of Service...<br /><br />Regards,<br />Sebastian<br /><br /><br />On 18/02/16 01:43, Bernie Innocenti wrote:<br /><blockquote class="gmail_quote" style="margin:
0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Seems to work now.<br /><br /> Our webserver often ends up in a state in which all 150 processes are<br /> sleeping without much going on.<br /><br /> Last time I saw it, there were plenty of connections from some shady SEO<br /> company (<a href="http://ahrefs.com">ahrefs.com</a>). It very much looked like a DDoS, so I just<br /> blackholed their entire subnet with iptables.<br /><br /> Not sure how to stop these in a more generalized way. Maybe we could<br /> rate-limit connections per-IP using iptables, or find an anti-DDoS<br /> Apache module.<br /><br /> On 02/17/2016 11:58 PM, James Cameron wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> <a href="http://wiki.sugarlabs.org">wiki.sugarlabs.org</a> and <a href="http://activities.sugarlabs.org">activities.sugarlabs.org</a> are accepting<br /> connections but not responding to
HTTP GET requests.<br /><br /> quozl@sunjammer:~$ wget <a href="http://wiki.sugarlabs.org">http://wiki.sugarlabs.org</a>/<br /> --2016-02-17 23:57:43-- <a href="http://wiki.sugarlabs.org">http://wiki.sugarlabs.org</a>/<br /> Resolving <a href="http://wiki.sugarlabs.org">wiki.sugarlabs.org</a> (<a href="http://wiki.sugarlabs.org">wiki.sugarlabs.org</a>)... 2001:4830:134:7::11, <a href="http://208.118.235.53">208.118.235.53</a><br /> Connecting to <a href="http://wiki.sugarlabs.org">wiki.sugarlabs.org</a> (<a href="http://wiki.sugarlabs.org">wiki.sugarlabs.org</a>)|2001:4830:134:7::11|:80... connected.<br /> HTTP request sent, awaiting response... ^C<br /> 130!quozl@sunjammer:~$ </blockquote><br /><br /></blockquote></pre></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail. Please excuse my brevity.</body></html>