DoS attacks from Google? Look again
Lately an interesting type of DoS (denial of service) attack has been hitting the various Eclipse sites, and although I’m not sure if it’s widespread or just an Eclipse thing, it could affect Google as well.
Here’s what happens: load on the servers and databases slowly increases as Apache serves the home page of a site (and only the home page — no images, CSS or other related files) to the same IP address at a very rapid rate (several times per second). As the new requests come in faster than the served connections are closed, within minutes the server starts to run out of resources. The catch is, if I look at the logs, I see hundreds, no — thousands of lines like these:
(ip hidden) - - [10/May/2007:06:20:42 -0400] “GET / HTTP/1.0″ 301 232 “http://live.eclipse.org” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
(ip hidden) - - [10/May/2007:06:20:42 -0400] “GET / HTTP/1.0″ 301 232 “http://live.eclipse.org” “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”
Googlebot? Sheesh! You’d think Google could write a smarter bot! Just as I ready myself to write a nasty e-mail to Google, I notice that the Googlebot’s IP address doesn’t really look like a Google IP address (you get to know these after a while). After some digging around, I discovered that the offending IP address is registered to some ISP in Connecticut.
I happened to catch the first two attacks red handed on Tuesday, and I was able to block the culprit IP addresses on our firewall before any significant interruption of service occurred. Yesterday I hacked some DoS protection into one of our monitoring scripts, just in case this happened again. Lo and Behold, this morning there were two Attack warnings in the webmaster box - both from these fake Googlebots, both fetching a homepage dozens of times per second. Both got blocked on our firewall.
What a waste of resources. Don’t do stuff like this. You’re just dumb if you do. And you’ll lose all your hair.
Posted May 10th, 2007 by Denis Roy in category: Uncategorized
You can skip to the end and leave a response. Pinging is currently not allowed.
One Response to “DoS attacks from Google? Look again”
Leave a Reply
You must be logged in using your Eclipse Bugzilla account to post a comment.
Fumier Says:
May 10th, 2007 at 3:05 pm
I wrote a little application a few years ago that would interrogate a reservation system for cheap train tickets. In building this app I realized that you can’t really prevent somebody from using thousands of transparent proxy servers freely available on the web. Each http request would virtually have a different IP. What can you do against this kind of attacks?