Thursday, August 11, 2005
Oh, so they were used after all
So apparently the sites
where in actual use, hence the query for which site was under attack. Also, it
turned out that the traffic spike I saw might not have been an actual SYN
attack, but instead
legitimate traffic.
It seems that the company that owns the sites have a domain that has nothing but advertising banners for gambling sites (since that's what they do) for which they bought advertising space on a bunch of porn sites (I'm sure on the theory of “in for a penny, in for a pound” but in this case, “in for a vice, in for a whole slew of vices”) and it caught our server unaware.
It's not like the server can't handle the load, but that Apache wasn't configured for such a spike in traffic. Now that I've tweaked the operating system (Linux):
sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=2048 sysctl -w net.ipv4.tcp_syn_retries=2
But also tweaked KeepAliveTimeout
,
MinSpareServers
,
MaxSpareServers
,
StartServers
and MaxClients
in the Apache configuration (doubled each except for
KeepAliveTimeout
which I decreased) the server is having no
problem keeping up with the traffice (I also copied the site to the second
server and round-robinning requests between the two).