www-mirrors mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Harri Salminen <...@nic.funet.fi>
Subject Re: Unusual Traffic
Date Tue, 12 May 2009 12:37:22 GMT
Silio d' Angelo wrote:
> may be download accelerators have this attitude but to download
> something like 86,000,000 bytes about 12,000 times, it seems to me a
> little excessive. And also, why all that is usually originated from
> an IP non resolving the reverse address and most of the times from
> some Chinese network ? This slows down the response of the server,
> floods the log files and also sinks almost all the "ipport_userreserved".
> Have you any suggestion on how to minimize their effects ?
I've noticed the same problem in www.nic.funet.fi, since some 
connections from same IP tried to download the same .iso file even over 
100 times over a slow connection from far away places and I had 
sometimes run out of threads (2048).  To limit the effect of such bad 
downloaders I've used mod_limitipconn module with max 10 tcp connections 
per IP.


There seems to be sometimes the side effect that connections are not 
always closed fast enough when a low latency user uses wget -R, yum 
update or similar to download small files and they get hit too but I 
haven't found a better solution. Maybe there could be limit just for 
requests with range? At least the server stays responsive now. I'd 
assume a real DOS attack would come from hunreds or thousands of 
different IPs instead of 100s from the same IP so they are probably 
those "accelerators".  They also seem to make the WWW statistics and 
server status meaningless.

e.g. now I'm supposedly serving 24Gbit/s over a 1Gbit/s link...

37.9 requests/sec - 4.0 GB/second - 181.9 MB/request
644 requests currently being processed, 76 idle workers

I wonder how easy it would be to fix the apache to log the actually 
transferred bytes, I haven't had time to look at the code.


> Thanks for the attention,
>                                  Silio ( dangelo@gno.uniRoma2.it )
> [ . . . ]
>>    this is what 'download accelerators' do : set up a lot of connections,
>>    each getting a different chunk of the same big file ; exit code 206 ;
>>    they are often badly written.
> [ . . . ]

View raw message