On 22/04/13 15:34, Stephen Villano wrote: > First, has there been any configuration changes shortly before the > problem began? The first rule is "look for stupidity", as in an > error in configuration causing a self-DOS. Many of us have done > that to ourselves, to our embarrassment. If not, go with Tim's > suggestion and also look at squid's logs. Are you getting requests, > but no full session (syn flood)? > > I'm on your site periodically. It's normally smoothly running, > since you went with Linode. The site is overall well behaved. > However, it is one that could easily become the target of a script > kiddie. So, do you have SYN cookies turned on?
Most kinds of DoS attack, including SYN flooding, can be seen in Ganglia as a sharp increase in inbound network traffic, especially as measured by packet count (pkts_in). SYN cookies are definitely a good idea, regardless of whether an attack is underway. They are enabled by default in Ubuntu. -- Tim Starling _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
