Short investigation showed that we are under SYN_RECV flood, what looked like this:
Having syncookies turned on, I couldn't do much more about this than limiting connections with SYN_RECV to 1 per second per IP address.tcp 0 0 188.165.xxx.xxx:80 107.83.110.62:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 109.143.164.196:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 109.222.2.66:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 1.118.132.82:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 114.19.38.196:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 115.71.32.78:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 117.157.27.87:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 118.0.125.227:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 1.183.162.94:1234 SYN_RECV -tcp 0 0 188.165.xxx.xxx:80 119.19.140.214:1234 SYN_RECV -......... and many, many more ;]
Attacker tried like 5-10 times more to bring down our server but without success. The whole bandwidth of attack varied between 90-200 mbps.
To protect the website in future, I implemented Varnish Cache mechanism with Apache for dynamic content and nginx for static.
It works really well, page serving time dropped from 4s to 2.5s (including downloading all images, styles and javascripts).
Brak komentarzy:
Prześlij komentarz