Forum Downtime / Server Problems

[TheLaughingMan]

Quote:

Originally Posted by Mb81

Well, we got a synflood again (lame admins..). One was from berserkanime.com... which is now (my deep regrets) down.

Pardon my ignorance, but what exactly is a "synflood"?

[_Sin_]

Quote:

Originally Posted by TheLaughingMan

Pardon my ignorance, but what exactly is a "synflood"?

I don't think that this explanation is understandable enough for you (me either) but that's what I gathered from it: It is as if non-existant members try to access the Forums at once so that the server cannot fulfill each one's requests and you get the dreaded "server is busy" message.

[Green²]

Quote:

Originally Posted by TheLaughingMan

Pardon my ignorance, but what exactly is a "synflood"?

Quote:

Denial of service attacks by exploiting network connectivity
In this type of denial of service the attacker attempts to force the server not to communicate on the network and hence denies a service. Do not however confuse this with bandwidth consumption as in this case the attack does not feature around consuming all bandwidth.

Rather the attacker establishes a connection but does it in a way that the connection never completes and at the same time the server may have reserved one of a few kernel data structures to complete the connection but since the connection never completes once the victim runs out of structures new legitimate connections cannot be started. This is called a "SYN FLOOD" attack.

http://www.surasoft.com/articles/ddosa.php

[GHDpro]

Or to put it in even more simple terms:

- A server has a maximum number of incoming connections. By default for example,
Apache webservers are only able to handle 150 concurrent connections at the same time.

- In case of a SYN flood an attacker "rings the doorbell" sort of, that is, it asks the webserver
to open a connection. The server then sends a "SYN" (synchornize) signal back in which it requests
the connection to be "confirmed" (normally done using an "ACK" packet).

- But here is the problem: the attacker never does this. And by default, it can take seconds
before such a "half-open" connection times out. And since the attacker is constantly trying to
do this at usually a rate of several dozens to hundreds of connection attempts per second,
legimate connection requests fail to get through.

---
There are a few things that can be done about SYN floods. Blocking the IP that is SYN flooding
you with a firewall kills it off pretty quickly. Unfortunately most DoS-ers are smarter than that
and use thousands of zombies (hacked computers) to do the attacking. And blocking thousands
of IPs is kind of a lot of work and nearly impossible to accomplish succesfully.

One other way is to use "SYN cookies". In this case the server won't actually create a connection
when somebody tries to connect, but sends some information back in the SYN packet which ultimately
is returned back to the server in the ACK packet. Using this "cookie" information the server will
then establish the connection when the ACK packet is received.

---
For server admins: a SYN flood is easy to detect by:

- Load: you will see MAX httpd processes, but very low load because they're all merely
waiting for a connection to be established and don't actually do anything.

- Run "netstat -nap|grep RECV". Not that it is normal for 0-5 connections to be in
this state at all times. 20+ however is very suspicious, especially if there are many
requests from the same IP.

[Forse]

Quote:

Originally Posted by GHDpro

Or to put it in even more simple terms:
---
For server admins: a SYN flood is easy to detect by:

- Load: you will see MAX httpd processes, but very low load because they're all merely
waiting for a connection to be established and don't actually do anything.

- Run "netstat -nap|grep RECV". Not that it is normal for 0-5 connections to be in
this state at all times. 20+ however is very suspicious, especially if there are many
requests from the same IP.

You can simply install anti DDoS module for apache which will detect possible attack (if client sends too many requests too fast) and will put it on ban for say....40min =)

[Lina Inverse]

Since yesterday, I'm starting to get these strange "The server is too busy. Try again later" or "Problem connecting to Database" messages
I then have to wait a few minutes until it works again... what's up there? Are you working on the server or something?

[Shay]

Quote:

Originally Posted by Lina Inverse

Since yesterday, I'm starting to get these strange "The server is too busy. Try again later" or "Problem connecting to Database" messages
I then have to wait a few minutes until it works again... what's up there? Are you working on the server or something?

Join the club.

It's a tough job being a member of the best anime forum on the net. So many jealous ppl trying to ruin it for us.

[Green²]

These "The server is too busy." messages are becoming a daily thing now. Current workaround is to right-click within the message text entry box, select Select All from the menu, and then right-click again and select Copy. When the "The server is too busy" message appears after submitting reply, select the webbrowser's Back button, wait about eight minutes for Mb81 to go ape shit on the DDOS'ers, then return to the topic of interest and re-reply if necessary,.. using the computer's right-click & Paste function to reapply your text message.

[NoSanninWa]

Quote:

Originally Posted by Green²

These "The server is too busy." messages are becoming a daily thing now. Current workaround is to right-click within the message text entry box, select Select All from the menu, and then right-click again and select Copy. When the "The server is too busy" message appears after submitting reply, select the webbrowser's Back button, wait about eight minutes for Mb81 to go ape shit on the DDOS'ers, then return to the topic of interest and re-reply if necessary,.. using the computer's right-click & Paste function to reapply your text message.

I don't know if you care, but perhaps someone will.

Opera keeps all form information, so when I click the Back button, my reply is still there in the message box waiting for me. Hence I don't have to copy my reply to the clipboard. (This is useful in all sorts of situations where I want to hit the back button while paging through forms, such as shopping.)

[7thMethuselah]

Quote:

Originally Posted by Green²

These "The server is too busy." messages are becoming a daily thing now.

Well, I haven't seen them in quite a while and I check the forum alot. It did happen about an hour or two ago, "cannot connect to database" but a minute later it was ok again... On a side note : lately I no longer have any speed problems either, for me the forum is running nice fast and smoothly good work Mb81 (and other adminshelping in the forum software but of whose contribution I am unaware )

[_Sin_]

Quote:

Originally Posted by Mb81

Again a flooder.. i`m still checking this currently. But since that IP is banned.. all is running fine..


EDIT: 62.255.64.7... maybe i`m wrong but isn`t that a normal user isp ?

Seems so. I just did a google search on "62.255.64" and alot of posts (who logged the user's IP showed up), all in the format 62.255.64.xxx.

You coudn't have banned a regular user though? Maybe his machine was used by someone else to flood?

[NightWish]

Not sure why you posted the IP... especially if you thought it was a regular user's IP... but anyway; I can tell you the computer at that address isn't a exactly normal DSL user. The 62.255.64.4-12 range, of which 62.255.64.7 (popl-cache-4.server.ntli.net) is a part, are NTL web cache / proxy servers... so yes it could be a cable customer of NTL but they would be going via the web cache. All "home" NTL customers (as well customers of a few other networks who use their services) are forced through NTL caches transparently. (Which is why you'll see the IP on a lot of forums as _Sin_ pointed out...)

[Shay]

I just got the surver is busy message a few times.

Just thought you might want to know.

[Shay]

Quote:

Originally Posted by Mb81

When was that ?

About 3 hours ago.

I'd say I got the message no less than 9 times. But all is well now.

Just thought you might have been interested.

[_Sin_]

Server busy message for me as well. About 15mins ago.

[StoneColdCrazy]

Quote:

Originally Posted by _Sin_

Server busy message for me as well. About 15mins ago.

Same here for me, I also got it sporadically yesterday (although it mainly happened with pop-up windows, such as the reputation window).

SCC

[StoneColdCrazy]

"The server is too busy right now. Please try again later."

@ 23:15 GMT.

SCC