2004-11-27, 12:19 | Link #42 | |
Member of the Year 2004!
Join Date: Apr 2004
Location: "And if thou doest not well, _Sin_ lieth at the door."- Genesis 4:7
Age: 39
|
Quote:
|
|
2004-11-27, 12:22 | Link #43 | ||
It's bacon!
Join Date: Nov 2003
Location: Up and to the Left
Age: 44
|
Quote:
Quote:
|
||
2004-11-27, 16:08 | Link #44 |
Administrator
Administrator
Join Date: Jan 2001
Location: Netherlands
Age: 45
|
Or to put it in even more simple terms:
- A server has a maximum number of incoming connections. By default for example, Apache webservers are only able to handle 150 concurrent connections at the same time. - In case of a SYN flood an attacker "rings the doorbell" sort of, that is, it asks the webserver to open a connection. The server then sends a "SYN" (synchornize) signal back in which it requests the connection to be "confirmed" (normally done using an "ACK" packet). - But here is the problem: the attacker never does this. And by default, it can take seconds before such a "half-open" connection times out. And since the attacker is constantly trying to do this at usually a rate of several dozens to hundreds of connection attempts per second, legimate connection requests fail to get through. --- There are a few things that can be done about SYN floods. Blocking the IP that is SYN flooding you with a firewall kills it off pretty quickly. Unfortunately most DoS-ers are smarter than that and use thousands of zombies (hacked computers) to do the attacking. And blocking thousands of IPs is kind of a lot of work and nearly impossible to accomplish succesfully. One other way is to use "SYN cookies". In this case the server won't actually create a connection when somebody tries to connect, but sends some information back in the SYN packet which ultimately is returned back to the server in the ACK packet. Using this "cookie" information the server will then establish the connection when the ACK packet is received. --- For server admins: a SYN flood is easy to detect by: - Load: you will see MAX httpd processes, but very low load because they're all merely waiting for a connection to be established and don't actually do anything. - Run "netstat -nap|grep RECV". Not that it is normal for 0-5 connections to be in this state at all times. 20+ however is very suspicious, especially if there are many requests from the same IP. |
2004-11-27, 17:34 | Link #45 | |
r00t for life
Join Date: Jun 2003
Location: /dev/null
|
Quote:
|
|
2004-12-02, 18:12 | Link #46 |
SL Aki fanclub president
Join Date: Feb 2004
Location: Germany
|
Server too busy?
Since yesterday, I'm starting to get these strange "The server is too busy. Try again later" or "Problem connecting to Database" messages
I then have to wait a few minutes until it works again... what's up there? Are you working on the server or something? |
2004-12-02, 18:14 | Link #47 | |
Monarch Programmer
Join Date: Apr 2004
Location: Liverpool
Age: 43
|
Quote:
It's a tough job being a member of the best anime forum on the net. So many jealous ppl trying to ruin it for us.
__________________
|
|
2004-12-06, 18:29 | Link #48 |
It's bacon!
Join Date: Nov 2003
Location: Up and to the Left
Age: 44
|
These "The server is too busy." messages are becoming a daily thing now. Current workaround is to right-click within the message text entry box, select Select All from the menu, and then right-click again and select Copy. When the "The server is too busy" message appears after submitting reply, select the webbrowser's Back button, wait about eight minutes for Mb81 to go ape shit on the DDOS'ers, then return to the topic of interest and re-reply if necessary,.. using the computer's right-click & Paste function to reapply your text message.
|
2004-12-06, 18:38 | Link #49 | |
Weapon of Mass Discussion
Fansubber
Join Date: Feb 2003
Location: New York, USA
|
Quote:
Opera keeps all form information, so when I click the Back button, my reply is still there in the message box waiting for me. Hence I don't have to copy my reply to the clipboard. (This is useful in all sorts of situations where I want to hit the back button while paging through forms, such as shopping.)
__________________
|
|
2004-12-06, 19:59 | Link #50 | |
Senior Member
Join Date: Nov 2003
Location: Antwerp area, Belgium, Europa
Age: 48
|
Quote:
|
|
2004-12-08, 13:30 | Link #51 | |
Member of the Year 2004!
Join Date: Apr 2004
Location: "And if thou doest not well, _Sin_ lieth at the door."- Genesis 4:7
Age: 39
|
Quote:
You coudn't have banned a regular user though? Maybe his machine was used by someone else to flood? |
|
2004-12-08, 17:23 | Link #52 |
…Nothing More
Administrator
Join Date: Mar 2003
Age: 44
|
Not sure why you posted the IP... especially if you thought it was a regular user's IP... but anyway; I can tell you the computer at that address isn't a exactly normal DSL user. The 62.255.64.4-12 range, of which 62.255.64.7 (popl-cache-4.server.ntli.net) is a part, are NTL web cache / proxy servers... so yes it could be a cable customer of NTL but they would be going via the web cache. All "home" NTL customers (as well customers of a few other networks who use their services) are forced through NTL caches transparently. (Which is why you'll see the IP on a lot of forums as _Sin_ pointed out...)
|
|
|