Thursday, August 11, 2005
Random quote spewed forth from my computer
Whom computers would destroy, they must first drive mad.
Oh, so they were used after all
So apparently the sites
where in actual use, hence the query for which site was under attack. Also, it
turned out that the traffic spike I saw might not have been an actual SYN attack, but instead
legitimate traffic.
It seems that the company that owns the sites have a domain that has nothing but advertising banners for gambling sites (since that's what they do) for which they bought advertising space on a bunch of porn sites (I'm sure on the theory of “in for a penny, in for a pound” but in this case, “in for a vice, in for a whole slew of vices”) and it caught our server unaware.
It's not like the server can't handle the load, but that Apache wasn't configured for such a spike in traffic. Now that I've tweaked the operating system (Linux):
sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=2048 sysctl -w net.ipv4.tcp_syn_retries=2
But also tweaked KeepAliveTimeout,
MinSpareServers,
MaxSpareServers,
StartServers
and MaxClients
in the Apache configuration (doubled each except for
KeepAliveTimeout which I decreased) the server is having no
problem keeping up with the traffice (I also copied the site to the second
server and round-robinning requests between the two).
