You are reading a single comment by @Greenbank and its replies. Click here to read the full conversation.
  • The forum is being attacked.

    It's a layer 7 attack, meaning a web application attack.

    The requests look like this:

    2a02:c7f:624:3500:a889:f9e4:656f:6ccf - - [19/Jul/2016:05:52:12 +0000] "GET /today/?offset=25 HTTP/1.1" 499 0 "https://www.lfgss.com" "Mozilla/5.0 (Windows NT 6.0; rv:47.0) Gecko/20100101 Firefox/47.0"
    

    They nearly all originated from Sky broadband connections (which that IPv6 belongs to) and they have been reported to abuse@sky.com which is the abuse email for Sky http://bgp.he.net/ip/2a02:c7f:624:3500:a889:f9e4:656f:6ccf http://bgp.he.net/AS5607#_whois

    We received between 30-60 HTTP requests per second for /today/?offset=25 from just before midnight BST through to my turning on CloudFlare this morning.

    I'll be adding a rate limiter today to auto block such attacks in future, but in the meantime CloudFlare are handling it.

  • From just one IP or many IPs in the same range?

    Just one IP and it could just be someone's misconfigured browser or even a buggy script.

  • Predominantly from one IP.

    And low enough in HTTP requests per second to fly just under the CloudFlare automated detection radar, but enough to eventually overwhelm these servers.

    There was a rehearsal first, but that was nearly all cached and didn't affect us at all. Then there was the attack itself.

    Attachment shows rehearsal and then the attack.

About

Avatar for Greenbank @Greenbank started