Thursday, May 10, 2007

DoS attacks from Google? Look again

Lately an interesting type of DoS (denial of service) attack has been hitting the various Eclipse sites, and although I'm not sure if it's widespread or just an Eclipse thing, it could affect Google as well.

Here's what happens: load on the servers and databases slowly increases as Apache serves the home page of a site (and only the home page -- no images, CSS or other related files) to the same IP address at a very rapid rate (several times per second). As the new requests come in faster than the served connections are closed, within minutes the server starts to run out of resources. The catch is, if I look at the logs, I see hundreds, no -- thousands of lines like these:

(ip hidden) - - [10/May/2007:06:20:42 -0400] "GET / HTTP/1.0" 301 232 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +"
(ip hidden) - - [10/May/2007:06:20:42 -0400] "GET / HTTP/1.0" 301 232 "" "Mozilla/5.0 (compatible; Googlebot/2.1; +"

Googlebot? Sheesh! You'd think Google could write a smarter bot! Just as I ready myself to write a nasty e-mail to Google, I notice that the Googlebot's IP address doesn't really look like a Google IP address (you get to know these after a while). After some digging around, I discovered that the offending IP address is registered to some ISP in Connecticut.

I happened to catch the first two attacks red handed on Tuesday, and I was able to block the culprit IP addresses on our firewall before any significant interruption of service occurred. Yesterday I hacked some DoS protection into one of our monitoring scripts, just in case this happened again. Lo and Behold, this morning there were two Attack warnings in the webmaster box - both from these fake Googlebots, both fetching a homepage dozens of times per second. Both got blocked on our firewall.

What a waste of resources. Don't do stuff like this. You're just dumb if you do. And you'll lose all your hair.


Post a Comment

<< Home