Forum server suffering from a denial of service attack

PaulStoffregen

Well-known member
Looks like someone may be running a distributed denial of service attack. Or if there's some other nefarious purpose, difficult to know what it is.

I cobbled together a couple fail2ban filters which are lightening the load, but the server is still under a lot of strain. At this moment 13230 IP numbers are blocked, and the list is growing.
 
Difficult to tell if this is a malicious attack or a very badly designed bot. It's utilizing tens of thousands of distinct IP numbers, so sure seems like someone knows they're up to no good. The accesses keep coming, but the pace seems to have slowed to only a few per second.
 
Server getting badly loaded - when it is up it isn't properly responsive :( - maybe I caught it just before it went 'away' again
 
Looks like things are calmed down now.

1727819563324.png
 
Hopefully all calm soon. That is a lot of data In and Out ...
Seen dead at 1:55 AM pacific and post above at 2:05 PM had to wait for a restart minutes earlier to post that ...

Note sure of the time base EST or PST above? - but both seem outside the peak disruption time.
 
It's really not a lot of total data transfer. The units are incorrect. Numbers at the last 2 lines are total bytes, not per second.

8.7 GB over 24 hours, if it repeated every day, would add up to only 1.3% of the server's 20TB monthly allocation.

The bogus requests are still coming in, but now only about 1 or 2 per second. My guess is a bot run by some big site (maybe Facebook / Meta?) that had a programming mistake added and ran rampant for several hours before getting fixed.
 
Back
Top