And starting from like a month ago, a lot of people on the Chinese internet started to decorate the GFW, and concludes with "for your own good" shit. I can see from those fragments of thoughts, China is not going to stop the GFW, and as Moore's Law advancing, it's going to be even worse.
Sorry for swearing, the feeling of "there's nothing anyone can do to stop this BS" just leads to greater despair.
I figure it either helps inform the citizens as to why this link isn't working or the message itself causes the GFW to ban our IP as well.
>One thing I learned is that Apache can have problems figuring out which virtual host to use in some cases:
>>If no ServerName is specified, then the server attempts to deduce the hostname by performing a reverse lookup on the IP address.
ServerName is the name Apache reports in Error messages and using for redirects. It has nothing to do with the Host-Header sent by the client. If it did, a reverse lookup definitely wouldn't be of any help either.
His remedy was still ok though - just for the wrong reasons.
Interestingly, it wasn't our webservers that were overwhelmed but instead the Cisco firewall that sits in front of them. 25K concurrent connections made it decidedly unhappy.
We ended up mitigating it by moving our IP address on that host, and blocking all input on the old address.
Here is what I had to deal with on the 9nth Ramming my server...
Yes that is almost 1000mbit/s All coming from china...
http://serverfault.com/questions/656093/mod-security-block-r... describes the problem as well.
https://isc.sans.edu/forums/diary/Are+You+Piratebay+thepirat... also describes the same thing.
As well as http://www.webhostingtalk.com/showthread.php?p=9351951
Well, do you know what the Communist Party thinks?
Serving a static file is pretty simple at 40-50 req/sec but searching an entire index of the Internet @ 40-50 req/sec is harder.
"The number of requests peaked out at 52 Mbps. Let’s put that number in perspective". Perspective is 52 Mbps isn't a small number, but not massive either.
We thought it was a new form of intelligent blackholing. Instead of sending traffic to IPs that could easily be blacklisted by tools to get around the firewall, the Great Firewall would start sending them to random "good" IPs for the same result. Others seem to think the same thing.
Then the next day the same thing happened but much more traffic. The 444 change helped some but there was just too much traffic for the web servers to handle quickly so they bogged down to a crawl. Luckily we were able to figure out through severfault and some other searches that it appears to be DNS poisoning coming from China. We ended up banning the entire country.
The third day the same thing happened but because we had blocked the traffic from China at our outside firewall the servers were unaffected. Since then we have seen some flashes of traffic being blocked but not nearly as much as before.
In all cases the increased volume of traffic only lasted about an hour. The only thing I can surmise about the length of time is DNS records only being cached for about an hour. So after that time the poisoned cached DNS records were replaced by the real resolving ip address. In the case of the article's author their servers suffered a much longer attack than we did. I am not sure if it is the Chinese government doing it or an attack for hire scheme using holes in many Chinese based DNS servers.
TLDR; Remove default server settings from your web servers and have the default server block respond 444 or 404. This may help stave off the attack until your incoming traffic takes up all available resources of the web servers. Of course you could always block all traffic based in China like we did.
Here is info on the status codes incase you are curious: http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_C...
Using DHT is also a particularly effective way of getting massive amounts of UDP traffic directed at you, which does not stop even after stopping the torrents. It subsides eventually, but can be quite irritating.
Were you still using preforking MPM or something? Surely switching to threaded or even better, event MPM would have mitigated this to a degree...
(I've done exactly that for a friend, it made a huge difference in how much traffic his box can handle).
in our network, 'out' means outbound from the edge, and 'in' means in from the edge, in all cases.
It seemed backwards to me too, when I first saw it.
Clearly all requests from China with an incorrect host header should just be served a Goatse-style 'hello.jpg'.