It's been about a week since it started, and I've blocked a lot of IPs, but there doesn't seem to be an end to the attack. Again, there's nothing critical on the site; it's just a dumb e-mail experiment.
In addition to locking out about 15 countries entirely, there are almost 18K individual IPs also blocked. My firewall has 94,152 rules blocking IP addresses and ranges because of this stupid attempt to knock my service into a state of serve-less.
Notice the swell in mid-January. That was due to heavy blog traffic (which turned out to be an abuse to a "trackback" feature, since turned off). That spike on the 31st is when the attack started. Important to note (and tricky to see) is the slight yellow line on the left of each stack; that's unique users. It's terribly low for the abuse swell, but enormously high for the 31st. There's no scale here, but the high swells are from about 400 unique visitors, while the DOS is from 36,000 unique visitors; the high point in the swell is about 45K pages, while on the 31st that number hit 98K; and those are just the ones that didn't fail!
Compare that with roughly the same time period of the OWA report:
Notice the peak is almost opposite, as these are legitimate browser users. Usually less than a dozen per day with some swells to double that.
To be fair, the AWStats chart above is for the whole server while the OWA chart is only for that one website. This is because the attack caused the site to become relatively unresponsive; and what did make it to the log was a failure, so it didn't register, so the traffic on the 31st looks "broken." Here's the AWStats chart for the affected site.
Oh, since the attack, and while I've been paying attention, here's what that site looks like:
That spike on the 1st was before I caught wind of the attack. The mid-day break on the 2nd was the first day of blocking the IPs of the attackers. The imperceivable traffic since are the actual visitors to the site, and the continuing attack.
Oh, yes, the attack continues. In addition to the few that trickle in (825 unique IPs for 3,841 hits today), for giggles I changed the firewall to not block those 18K IP addresses. The server was instantly flooded with requests. That 825/3841 includes those requests, but only about 100 or so requests in those few seconds it took me to restore the full block. Even as I write this I've got the log scrolling in the background, and about every two or three or four seconds pops another one on the site.
No feedback yet
Form is loading...