Vash
OHM Administrator
- Joined
- Mar 26, 2008
- Messages
- 188
- Reaction score
- 2
- Points
- 0
- Location
- In a cave, of course.
- Website
- www.orbithangar.com
Just a little update here...
It may not have been a purposeful attack after all!
Upon further examination of my log files, it looks like someone using a download accelerator is the real culprit here.
Here's my theory so far:
Before I set the firewall to limit the maximum number of concurrent connections to the site, any one IP address was allowed to make any number of simultaneous requests to the web server. Let's say that someone using a download accelerator decided to go around and download all of the extremely large files on the site that he could find, opening up 50+ connections simultaneously to grab parts of all these files. While the actual bandwidth usage of my site isn't the real issue, the flooding of simultaneous requests and connections to the Apache server is.
Why that theory may not really hold up:
The one thing that stands out the most in the log files are various IP addresses which open several connections to download my hosted mirror of the main orbiter distribution files. I could understand a few people using "download accelerators" (all of which are complete garbage) here and there to download the file, but it doesn't so much make sense that it would be happening so consistently every single day.
Other observations:
I ran a different analysis on my logs for today to find out how many IP addresses where downloading the same .zip file from my site more than 5 times (ex. one IP address downloads Intrepid.zip 20 times). Running this script, I found that there were 46 unique IP addresses who downloaded at least one .zip file more than 5 times. Your average user should only need to download a file once... and two or three times at most. Once again though, this could be due to download accelerators being used.
One other observation to quite possibly discredit the download accelerator theory:
One might think that the seemingly malicious downloads of the orbiter mirror could be explained by the download accelerator theory. Sure, someone opens up 40 connections to the same file that way, but they're only getting small pieces at a time, right? Well, not according to the logs... each file transfer seems to be about 30mb in size, totaling up to be MUCH larger than the size of the file being downloaded.
EDIT:
Upon closer examination, this may actually be an error in Apache's logging. The http response code was a 206 and not 200 for most of those requests, but it was still saying that it was returning about 30-40bytes per request. This may or may not be the actual number of bytes that were delivered.
What may have to be done:
The direction I'm thinking about moving in right now is to disallow direct access to add-on files and only allow it via a php download page. For the vast majority of users, this should not mean anything at all as I've always discouraged direct linking to add-on files on the site anyway.
It may not have been a purposeful attack after all!
Upon further examination of my log files, it looks like someone using a download accelerator is the real culprit here.
Here's my theory so far:
Before I set the firewall to limit the maximum number of concurrent connections to the site, any one IP address was allowed to make any number of simultaneous requests to the web server. Let's say that someone using a download accelerator decided to go around and download all of the extremely large files on the site that he could find, opening up 50+ connections simultaneously to grab parts of all these files. While the actual bandwidth usage of my site isn't the real issue, the flooding of simultaneous requests and connections to the Apache server is.
Why that theory may not really hold up:
The one thing that stands out the most in the log files are various IP addresses which open several connections to download my hosted mirror of the main orbiter distribution files. I could understand a few people using "download accelerators" (all of which are complete garbage) here and there to download the file, but it doesn't so much make sense that it would be happening so consistently every single day.
Other observations:
I ran a different analysis on my logs for today to find out how many IP addresses where downloading the same .zip file from my site more than 5 times (ex. one IP address downloads Intrepid.zip 20 times). Running this script, I found that there were 46 unique IP addresses who downloaded at least one .zip file more than 5 times. Your average user should only need to download a file once... and two or three times at most. Once again though, this could be due to download accelerators being used.
One other observation to quite possibly discredit the download accelerator theory:
One might think that the seemingly malicious downloads of the orbiter mirror could be explained by the download accelerator theory. Sure, someone opens up 40 connections to the same file that way, but they're only getting small pieces at a time, right? Well, not according to the logs... each file transfer seems to be about 30mb in size, totaling up to be MUCH larger than the size of the file being downloaded.
EDIT:
Upon closer examination, this may actually be an error in Apache's logging. The http response code was a 206 and not 200 for most of those requests, but it was still saying that it was returning about 30-40bytes per request. This may or may not be the actual number of bytes that were delivered.
What may have to be done:
The direction I'm thinking about moving in right now is to disallow direct access to add-on files and only allow it via a php download page. For the vast majority of users, this should not mean anything at all as I've always discouraged direct linking to add-on files on the site anyway.
Last edited:
