Weathering An Invisible Storm

Operating a web site isn’t always easy. I’ve had to deal with all sorts of unforeseen problems over the years. In the last couple of months I’ve been dealing with a new irritant: the steady background hum of malicious bots and other unidentified assailants making repeated requests for large media files. For the last couple of months the site has been weathering an invisible storm of bad requests more often than not. These requests eat up CPU cycles, memory, and bandwidth–finite resources that I pay for and share with other users on my hosting plan. At times the onslaught has been heavy enough to slow the site down to a crawl, even making it virtually unusable on a couple of occasions. By some definitions, this is a denial-of-service (DoS) attack. Of course, the word “attack” implies a certain amount of intent, and I am not personally convinced that some shadowy adversary is out to crash the site. It seems more likely that the problems the site has been experiencing result from something more prosaic: spam bots, for instance. Anything more complex would imply a conspiracy.

So, what can be done? The Internet is both the cause of and solution to problems like these. Spend a bit of time with a search engine and you will turn up just about anything. This particular issue is common, and I would have expected there to be a robust solution readily available. Well, if you have root access to your server there are some powerful software packages that you can install and configure, but I don’t have the requisite permissions. For users on shared hosting, the widely cited solution is dumb as a rock: manually scan access logs and ban offending IPs by hand. Seriously. And that is exactly what I had to do at the beginning. Since then, I’ve coded up something a little more automated. Much of the unwanted traffic gravitates toward the big ticket items so I’ve deployed basic flood protection functionality. Some users have experienced problems downloading in the last few weeks–this is why. I had to fine tune things to get the balance just right–to ward off unwanted requests while letting legitimate traffic through. This effort appears to have been a success: the storm has died down, fewer people are reporting problems with the downloads, and the site itself is running smoothly. Overall, it feels like a serious improvement over the stressful and uncertain days of August.

Oh, and if anything in this entry seems vague, it’s on purpose. Part of security is not letting any potential adversaries know all the cards you hold. And while I did say that I doubt I’m being targeted, you never can be too careful!

Photo credit: Don Solo.