Attached are two images, a normal day (looks like a hill) and yesterday (looks like needles).
On a normal day we do about 500K requests... and yesterday we received multiple floods of 150-190K requests.
More frustrating, the 150K requests would arrive in about 1-3 seconds, a well-tuned server can typically only do about 20K requests per second... and so LFGSS and all of the other sites fell over, they were totally overloaded and the sites went offline.
Each time I stood the site up, within a minute another flood would arrive... knocking it offline again.
It was... frustrating. More so as I'm on holiday and that's always the way of things... attacks, vulnerabilities, incidents... they tend to happen when one can least spend time on them, and so it was yesterday too.
I finally sat down this morning and was able to really go through all of the log files to find deeper commonalities between the requests so that I could get something more effective to block, and it's 7:30 am in Crete and I finally found a HTTP header spelling mistake within the attack traffic that I can use.
It should be over now, but I'll check periodically.
Attached are two images, a normal day (looks like a hill) and yesterday (looks like needles).
On a normal day we do about 500K requests... and yesterday we received multiple floods of 150-190K requests.
More frustrating, the 150K requests would arrive in about 1-3 seconds, a well-tuned server can typically only do about 20K requests per second... and so LFGSS and all of the other sites fell over, they were totally overloaded and the sites went offline.
Each time I stood the site up, within a minute another flood would arrive... knocking it offline again.
It was... frustrating. More so as I'm on holiday and that's always the way of things... attacks, vulnerabilities, incidents... they tend to happen when one can least spend time on them, and so it was yesterday too.
I finally sat down this morning and was able to really go through all of the log files to find deeper commonalities between the requests so that I could get something more effective to block, and it's 7:30 am in Crete and I finally found a HTTP header spelling mistake within the attack traffic that I can use.
It should be over now, but I'll check periodically.