With help from the fine folks at ASF Infra, I've managed to get back into our DDoS'd machine which handles all of the Rule QA operations. I've added a rather gross but effective stanza to the main script for the ruleqa website which assures that no volume of hits on the webserver can so overload the machine that it cannot do it's most important work: ingesting and analyzing masscheck results and rescoring the ruleset. If you hit it when it is being hit too hard by the thousands of IPs used in the attack, you will get a page saying that it is offline. This is suboptimal. We live in a broken world.
At this moment, after ~2 hours with that in place, the site is persistently accessible and the load is low. It looks like the segment of the mob which was doing the heaviest hitting has taken a break for now. This sort of break had not occurred for over 2 weeks until now. Please be aware that while this same sort of attack is hitting a lot of sites, it is not universal and it is not untargeted. I get a sense that it is also not unmonitored as a DDoS, as it does seem that when I've found a useful tactic and worked it for a while (e.g. whack-a-mole blocking) eventually the new hits just stop coming. As if they've stopped to revise their tactics. That sort of lull is present now, after about an hour of heavy pounding after I deployed the current defense. -- Bill Cole [email protected] or [email protected] (AKA @[email protected] and many *@billmail.scconsult.com addresses) Please keep discussion mailing list replies *on-list* Not Currently Available For Hire
signature.asc
Description: OpenPGP digital signature
