discuss AT lists.opennicproject.org
Subject: Discuss mailing list
List archive
- From: Jeff Taylor <shdwdrgn AT sourpuss.net>
- To: discuss AT lists.opennicproject.org
- Subject: Re: [opennic-discuss] Killed an IP due to excessive usage
- Date: Sat, 25 Dec 2010 18:05:11 -0700
- List-archive: <http://lists.darkdna.net/pipermail/discuss>
- List-id: <discuss.lists.opennicproject.org>
It's not that I'm afraid of traffic, but this was a sustained stream that was pulling a huge amount of bandwidth from a single source. If it was a small burst, I wouldn't have even noticed, but the problem continued long enough that I had time to look into it, discover where the problem was at, monitor the traffic for a bit, and decide what I wanted to do about it. The traffic had completely stopped ALL other internet traffic, so it was disrupting all normal service here.
I have run bandwidth tests that never made a dent in my normal traffic. If that was a benchmark test, it is very poorly written and has no business being run on servers without notification, and it certainly should not have been run for such a long length of time. In the 11 years I've been running servers, I have never seen legitimate traffic (and especially not DNS queries) disrupt a connection like that.
Also consider this... If you have a single connection suddenly take up all of your bandwidth for no apparent reason and without any warning, would you allow that connection to persist no matter how long it went on for, or would you kill the connection in favor of serving traffic to the greater number of known queries?
On 12/25/2010 01:14 PM, Günter Grodotzki wrote:
Assumption is never for sure. I never block any IPs. I have been running a T2 Public server for over a year and I have _never_ experienced malicious traffic, or traffic that would hurt my server traffic wise or hardware wise (1ghz / 1GB RAM ...). Funny is, that rather single requests put my cpu to 100% not massive ones (software was defect, so a single request to a special dns-entry caused crashes)
As you can see in my current graph: http://217.79.186.148/ I do have some bursts/tops but as stated above, as they don't harm - I do not care.
But I would never go that far and think bad for everything. I would rather assume that somebody is benchmarking your dns server, check:
http://code.google.com/p/namebench/
and
http://blog.binfalse.de/2010/12/opennic-dns-network/
e.g. dns benchmarking seems to get more in common. so blocking those IPs is most probably very bad advertisement, as you are blocking potential users.
So as I stated already before in the ML, if you are afraid of traffic, don't host anything public. I always welcome any kind of traffic :)
On 12/25/10 9:14 AM, Jeff Taylor wrote:
I had a couple others that were showing usage in the tens of thousands_______________________________________________
for the day, which I briefly considered nuking, but after I blocked this
one IP the traffic dropped off so much that the other queries looked
more like normal usage. I honestly think this was either some kind of
spambot, or a directed attack against my server. The last time I saw
that kind of traffic on my T2, there was clear evidence that it was
related to spam runs. Normal traffic under OpenNic should never approach
enough volume to saturate a basic DSL connection (unless we grow by at
least a factor of 10), so when I see something like this occur, I can
only assume it is malicious traffic.
On 12/24/2010 09:26 PM, Dean Gardiner wrote:
For a minute there I thought it was my "monitor.ing" but that only
does 1 request every 5th minutes.
On Dec 25, 2010 5:08 PM, "Jeff Taylor" <shdwdrgn AT sourpuss.net
<mailto:shdwdrgn AT sourpuss.net>> wrote:
> This evening I have to block an IP address which was pulling *massive*
> amounts of queries off of ns1.co.us.dns.opennic.glue. This address was
> completely flooding my bandwidth and preventing regular traffic
flow, so
> I nuked it with iptables.
>
> If 88.190.13.47 belongs to you, sorry for that but good god what were
> you doing? If there was a legitimate use for so much traffic (about
> 250,000 queries in 10-15 minutes), let me know, and we'll see if we can
> work out something.
> _______________________________________________
> discuss mailing list
> discuss AT lists.opennicproject.org
<mailto:discuss AT lists.opennicproject.org>
> http://lists.darkdna.net/mailman/listinfo/discuss
_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss
_______________________________________________
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss
discuss mailing list
discuss AT lists.opennicproject.org
http://lists.darkdna.net/mailman/listinfo/discuss
- [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/24/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dean Gardiner, 12/24/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Günter Grodotzki, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Günter Grodotzki, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/25/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Christopher, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Larry Brower, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Larry Brower, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Julian De Marchi, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Jeff Taylor, 12/29/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Christopher, 12/28/2010
- Re: [opennic-discuss] Killed an IP due to excessive usage, Dean Gardiner, 12/24/2010
Archive powered by MHonArc 2.6.19.