Re: Explanation of usage spike (malicious DOS attack?)
From: Anthony Brant (element_at_element.cx)
Date: 03/05/04
- Previous message: Gh0st1n5h3ll: "References"
- In reply to: David Mertz, Ph.D.: "Explanation of usage spike (malicious DOS attack?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 4 Mar 2004 22:49:49 -0600
This probably isn't the reason behind the two hosts being their foreign and
dialup, but there are some services (perhaps provided by your ISP itself)
that will check to see if your site is online every X minutes.
"David Mertz, Ph.D." <groups.google@gnosis.cx> wrote in message
news:8cf9f521.0403030045.7c152d27@posting.google.com...
> I hope this is an appropriate group. I have a website hosted at a
> commercial provider, Hostway.com. Generally I've been pretty happy
> with them, BTW. My site, gnosis.cx, exists for the non-commercial
> purpose of making my articles and software available for any
> interested persons--as such, it consists almost wholly of static
> content.
>
> I am in the habit of checking my stats from time to time, just out of
> vanity, not because I have any direct benefit (or detriment) from
> them. FWIW, I've easily survived a couple slashdottings when things
> I've written have gotten frontpage mention on /., so the site is
> pretty solid (I get 10k visits, 75k accesses most weeks lately; but /.
> weeks are much higher :-)).
>
> I wrote the below note to my host support, just as a matter of
> curiosity. But I suspect readers of this group will actually have
> more insight (I imagine other people here have seen some similar
> behavior on their sites):
>
> --------------------------------------------------------------------------
-
> The following is not directly a problem for me, but it suggest
> something
> peculiar going on--which may perhaps likewise affect other Hostway
> hosted sites.
>
> Checking last week's stats, I found this peculiar information.
>
> From: http://www.gnosis.cx/webstats/weekly/2004/02/22/sites.html
> ------------------------------------------------------------------------
> Rank Site Accesses % Bytes Visits
> 1 193.148.159.130 48,105 46.66 291,961,292 4
> 2 218.106.171.126 3,592 3.48 46,471,285 2
> 3 220.168.70.32 2,624 2.54 29,662,956 1
> 4 218.76.40.173 1,792 1.74 190,250,191 2
> 5 shop-gw.sac.overture.com 1,045 1.01 22,510,525 43
> 6 uscu-sgs-5.symantec.com 778 0.75 27,736,535 5
> 7 64-21-7-184.static.nac.net 674 0.65 30,891 672
> [...]
>
> Unfortunately, the access-log file from last week has expired, so I
> can't trace the individual hits for diagnostics. However, looking at
> my
> bandwidth usage, I see a big bump for Feb 26-27, so I would guess that
> #1 and #4 sites do that.
>
> Just as background, I currently have 6295 files in my account--most,
> but
> not all, of them publicly available (i.e., under www/). That amounts
> to
> 135MB. So the accesses by #1 are WAY more than the total number of
> files that can be accessed, and the bandwith used in a couple visits
> by
> #1 or #4 is considerably more than the total content I have to serve
> (my
> site is 99% static content).
>
> Given especially the fact 193.148.159.130 does not respond to ping or
> nslookup, it starts to look like some sort of nasty zombie. As of
> this
> moment, 218.76.40.173 -can- be ping'd, but has no nslookup entry.
>
> Anyway, these don't put me over my bandwidth allocation or anything.
> But they certainly don't look like clients who are "playing nice"
> either. If you have any ideas about the cause of this traffic--or
> especially about anything I can do to avoid it--I'd be interested.
>
> Yours, David...
- Previous message: Gh0st1n5h3ll: "References"
- In reply to: David Mertz, Ph.D.: "Explanation of usage spike (malicious DOS attack?)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
