All is well as of now.

Of course, just after I fix the configurations to start login real IP addresses, the bots vanished.

Red line is where the configuration was fixed...

​

Figures.

I am now certain that this was either a direct DOS/DDOS attack or someone scraping the site (and being a jerk since you can set your scraper/crawler to slowly hit the site, even once a second would not be noticeable). One other bit of info, found via CloudFlare, most of the hits were from Hong Kong.

I created access log scanner script to pull the offending IPs when (not if) this happens again. I might work on an automated blocker. If more that x hits in x minutes, block for x hours.

Updated Graph: I realize that the times were UTC. I set the account Timezone to Central. And my red line was off a bit...

​

All this scraping of data, often copyrighted, to produce AI insightful analysis and easy to understand information to educate people. I feel smarter already. 🙄

Ray,

As I work in infosec, I appreciate you taking the time to share the technical details. I wish I had a useful suggestion to offer. At the risk of suggesting something utterly unpractical, have you considered nginx? It seems to be a little more DDoS resilient in my experience. Granted, that would be a major architecture change and something that would be far down the road, of course.

Horizontal scaling is also probably out of the picture due to expense, I imagine. And that would just mitigate, but not solve, the problem.

DDoS attacks are insidious. We certainly get them from time to time at the University. For us, when they occur our procedure is to go get a cup of coffee and take a walk around the datacenter. We have such a huge inbound pipe that there effectively is no defense.

My favorite DDoS story is when we DDoS'ed ourselves. It was Wednesday, September 19, 2012. Approximate mid-day, we couldn't get to external web sites. Then we "fell off the internet." Rice University soon followed.

We quickly realized the traffic flood was coming from inside our network, nearly all from our wireless network. We were being attacked from within! A few packet captures later we saw what was happening and couldn't believe it.

Apple had released its much-anticipated iOS 6 update that day. 20,000+ iPhones were all trying to download it at once. Due to a horrendous misconfiguration with Akamai, it flooded our network and, as at the time, we went through Rice to go to the outside world, we brought them down, too!

Fun day.

Takeaway: even bots and nefarious ne'er-do-wellers can't stay away from us.

I am not a fan of nginx (for those that do not know, it is pronounced Engine X). The configuration for anything complex is always difficult. And no .htaccess files. Everything has to be in the config file. It is currently used on the main (free) site. I dread having to make changes to the config.

Yep. I robust solution would be to have 7 servers, 2 for load balancing, 4 to serve the site, and one for the database. 2 load balancing so that if one goes down, the other will still be operational (they could also be uses as caching proxies for static content using.... nginx! But easy configure and you rarely have to make changes). All this makes the costs x 7. Not to mention the extra complexity and managment.

Fun day indeed!​

Actual unretouched photo taken on the outskirts of Hong Kong of Ray conducting a commando op from his home in Thailand to root out the cyberattackers...

Yes... it is Raymbo: First Blood, part 37. We just need that voice-over dude from back in the day... "In a world where Hong Kong hackers attack a barbecue forum... Only one man can stop them: RAYMBO."

Yeah!!! Raymbo in da houuuuuuuuse!!!

raywjohnson Last night, East coast time, and continuing into this morning I’m getting a lot of “Working” messages and also Error 0 messages. Basically a slowdown.

raywjohnson I have not had the issues reported this time. I must be special.

Painfully slow today for some reason. Anyone else seeing this same issue?

20 minutes ago I couldn't do anything.
Now it's fine.

I had a couple of burps today.

When I just now clicked on this page in Notifications, it took about 30-45 seconds to get here. Does it on my iPad and iPhone running the latest update.