ClaudeBot server attack.

[dad664npc]

Are you still being attacked? PMs don't seem to be going out

[exxos]

Are you still being attacked? PMs don't seem to be going out

No attacks. If there was the forum would be running very slow or die totally.

What do you mean by pms not going out ? Do you mean stuck in outbox ? As that simply means they not being read yet..

Pms working fine for me..

[exxos]

Can anyone open more than 100 connections at once to see if over 100 they now get dropped ?

I think I can also use fail2ban as a request limiter with temp ban. Will look into that more tomorrow.

[dalek]

Amazon posts ip-ranges in json format which you can extract say once per day all the EC2 address ranges and add them to rate limiting (in e.g. fail2ban, iptables) or better since the site is running nginx in a rate limiting config

[exxos]

Didn't know they published IP ranges. But it be easier just to block aws servers and have some with it. But it doesn't help when some other servers outside of Amazon hits my server. It doesn't happen often, but it keeps happening and soaking up my time :(

Rate limit I tried a few posts back. The limit works but it doesn't help overall. It's why I'm looking just to ban IP addresses who flood the server automatically and have done with it all.

The tricky part is drawing the line between legitimate requests and flood attacks. But I'll study the logs more closely to figure that out.

[sandord]

I wonder why phpBB's caching mechanism isn't helping enough in this case. Is it because most requests are to pages that aren't cached yet because they haven't been visited for a while? Or is phpBB still executing SQL queries even when serving a cached page?

[exxos]

I wonder why phpBB's caching mechanism isn't helping enough in this case. Is it because most requests are to pages that aren't cached yet because they haven't been visited for a while? Or is phpBB still executing SQL queries even when serving a cached page?

I don't know much about phpbbs backend. Though it's always the SQL server which becomes the bottleneck. When I clear the cache it can take several seconds to show the index page. So it's doing something. But i guess that's mostly just code type caching and SQL queries are all still in realtime.

I had monitors on slow SQL queries last year. It's the total post count which can take 2 seconds. If there are several requests at once it seems fine. But beyond that it takes 2 seconds. I've thought about just removing the counts a few times. But that only applies to the index page anyway. The server has lot of free ram so SQL should be caching a lot of stuff already. I've tried before to make it faster. I don't know what it is with mysql. It just seems to always be the bottleneck.

But when there is 900 IPs opening up 100s of requests per second anyway.. the server simply runs out of CPU power. Maybe if I had 100 CPU cores it would work fine.. but. 4 core is expensive enough.

[sporniket]

It seems that the server is still under stress, I often get some server errors (HTTP 504/503) or missing pictures or stylesheet.

edit : most likely when I open several topics in a row in separate tabs when catching up with unread new posts.

[exxos]

It seems that the server is still under stress, I often get some server errors (HTTP 504/503) or missing pictures or stylesheet.

edit : most likely when I open several topics in a row in separate tabs when catching up with unread new posts.

Its because as said a few posts up, there is a rate limit of 100 requests. But i've upped it to 300 now.

[exxos]

So 300 requests will work, then it will drop connections. That works fine. If I open the store page 3 times graphics start not loading.

Over 400 connections in 60 seconds *should* get the IP banned. But I don't think that's working.

@derkom not sure if you can help test IP banning ? (or anyone else)..