Denial of Service Attack Defense

  • I am the webmaster for a blog that is drawing attacks. It appears to be from someone who disagrees with what the blogger is writing about.

    Whoever is doing the attacking is flooding the site with requests, from a bazillion different IP addresses. We are running the latest Bad Behavior and it is blocking them just fine, but the harder they try, the higher the CPU load goes. It appears to be not only BB doing it’s work, but also BB trying to log the hit in the database.

    Much to their glee, I’m sure, the shared host we were on finally pulled the plug. We were eating 60+% of the CPU. Because I’m a firm believer in the first amendment and this woman’s right to say whatever the heck she wants, I’m not giving up.

    We are getting a dedicated machine, so I can a) implement the famous Mullenweg “5 minutes to a faster blog”, b) have complete root control over our defense mechanisms, and c) not give a hoot if these bozo’s take 60% of our own CPU.

    But I’m concerned about bandwidth. In general we’re seeing 10,000 BB hits a day, or about 1.5gb a day of transfer which I can live with. However, at the peak a couple of days ago, this went up 5-6 times — to about 9gb a day. That I’d rather not live with if I don’t have to.

    So, I’m looking for strategic advice. I can clearly cut down BB’s log from 7 days to 2-3, I can optimize its table more often, and that kind of thing. This would cut down the time it takes to append a new log record, and the related CPU load. And of course, better mysql optimization and using APC will lower CPU load all around.

    I could also go the .htaccess route and do some front line defense preventing a whole lot of this before BB even sees it (ala https://www.javascriptkit.com/howto/htaccess13.shtml). And I could spend the better part of my life adding IPs and REFERRERs to the .htaccess file as I see them pile up in the BB log. This would certainly cut down on the CPU time, since undoubtedly Apache is faster at processing .htaccess than BadBehavior is at doing its work. But it sure is a pain in the rump.

    This also brings up an interesting question. If I respond quickly, doesn’t it just enable them to fire another salvo just as quickly? Doesn’t this exacerbate, not solve my bandwidth problem?

    So, I was wondering if a better strategy would be to continue to use BadBehavior (which, as I noted is stopping essentially 100% of them) and respond r_e_a_l_l_y s_l_o_w_l_y. Like put some kind of 10-20 second delay in the BadBehavior “denial” code. At least there I would assure they couldn’t machine gun me.

    Anyone have any ideas on this topic? Better strategies? Anybody ever win one of these wars?

    Sorry for the long post, and thanks for any advice anyone can give me.

Viewing 2 replies - 1 through 2 (of 2 total)

  • if it were me, I would use something that just checks spamhaus.org (which BB can do), and doesnt have to write to the db (which BB isnt set up to do)

    Thread Starter clwill

    (@clwill)

    Thank you for your reply. But, as I noted BB is doing a fine job of stopping them as it is, that’s not the question.

    I could certainly not write to the DB, but rather just log to a file. But I still need a log — so I can fix false blacklistings that arise, and track who to add into the .htaccess.

    What I really want to know is if anyone has any experience with a “honeypot” or a slow response. And if anyone has had this kind of issue and has tried and true methods for dealing with this.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Denial of Service Attack Defense’ is closed to new replies.

Tags