With help from the fine folks at ASF Infra, I've managed to get back into our 
DDoS'd machine which handles all of the Rule QA operations. I've added a rather 
gross but effective stanza to the main script for the ruleqa website which 
assures that no volume of hits on the webserver can so overload the machine 
that it cannot do it's most important work: ingesting and analyzing masscheck 
results and rescoring the ruleset. If you hit it when it is being hit too hard 
by the thousands of IPs used in the attack, you will get a page saying that it 
is offline. This is suboptimal. We live in a broken world.

At this moment, after ~2 hours with that in place, the site is persistently 
accessible and the load is low. It looks like the segment of the mob which was 
doing the heaviest hitting has taken a break for now. This sort of break had 
not occurred for over 2 weeks until now.

Please be aware that while this same sort of attack is hitting a lot of sites, 
it is not universal and it is not untargeted. I get a sense that it is also not 
unmonitored as a DDoS, as it does seem that when I've found a useful tactic and 
worked it for a while (e.g. whack-a-mole blocking) eventually the new hits just 
stop coming. As if they've stopped to revise their tactics. That sort of lull 
is present now, after about an hour of heavy pounding after I deployed the 
current defense.


-- 
 Bill Cole
 [email protected] or [email protected]
 (AKA @[email protected] and many *@billmail.scconsult.com addresses)
 Please keep discussion mailing list replies *on-list*
 Not Currently Available For Hire

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to