It's been about a week since it started, and I've blocked a lot of IPs, but there doesn't seem to be an end to the attack. Again, there's nothing critical on the site; it's just a dumb e-mail experiment.
In addition to locking out about 15 countries entirely, there are almost 18K individual IPs also blocked. My firewall has 94,152 rules blocking IP addresses and ranges because of this stupid attempt to knock my service into a state of serve-less.
This has also led me to appreciate my log file analysis even more than the script-based analysis tools. I've got AWStats and Google Analyitcs and Open Web Analytics on this site--mostly for my experience than because the site generates anything useful. Only the AWStats shows the swell in traffic for those few days, because, of course, the DOS attackers aren't using a browser and therefore aren't hitting the JavaScript that would send the analyitics messages to the other servers.
Notice the swell in mid-January. That was due to heavy blog traffic (which turned out to be an abuse to a "trackback" feature, since turned off). That spike on the 31st is when the attack started. Important to note (and tricky to see) is the slight yellow line on the left of each stack; that's unique users. It's terribly low for the abuse swell, but enormously high for the 31st. There's no scale here, but the high swells are from about 400 unique visitors, while the DOS is from 36,000 unique visitors; the high point in the swell is about 45K pages, while on the 31st that number hit 98K; and those are just the ones that didn't fail!
Compare that with roughly the same time period of the OWA report:
Notice the peak is almost opposite, as these are legitimate browser users. Usually less than a dozen per day with some swells to double that.
To be fair, the AWStats chart above is for the whole server while the OWA chart is only for that one website. This is because the attack caused the site to become relatively unresponsive; and what did make it to the log was a failure, so it didn't register, so the traffic on the 31st looks "broken." Here's the AWStats chart for the affected site.
Note that is about the same, with swells in the early and late parts of the month. The analyitics engines are also logging different things, and taking different interpretations of what constitutes a visit; in this the OWA and Google Analyitics have a little bit of an edge because the JavaScript can take advantage of cookies and other tricks that the log analyzer does not have. AWStats uses near-time from the same IP as a "visit," which gets skewed by NAT and proxy servers, and just users leaving and returning "close enough" to a previous visit.
Oh, since the attack, and while I've been paying attention, here's what that site looks like:
That spike on the 1st was before I caught wind of the attack. The mid-day break on the 2nd was the first day of blocking the IPs of the attackers. The imperceivable traffic since are the actual visitors to the site, and the continuing attack.
Oh, yes, the attack continues. In addition to the few that trickle in (825 unique IPs for 3,841 hits today), for giggles I changed the firewall to not block those 18K IP addresses. The server was instantly flooded with requests. That 825/3841 includes those requests, but only about 100 or so requests in those few seconds it took me to restore the full block. Even as I write this I've got the log scrolling in the background, and about every two or three or four seconds pops another one on the site.
That rate is not enough to worry about, as hitting this one blog page will potentially ask for more (in images and style sheets and JavaScript) per connection. Still, I'm making a pass a few times a day to curb the obviously garbage traffic. It's a small server, but it hosts a dozen-ish sites, and so far only the one has been attacked. I can't imagine the flurry of traffic if they decided to attack it by IP or by name for the other sites! (Attacking it by IP at least hits a static-only site, and it has the POST filter on it that I noted in my first post about the DOS...just in case you were concerned.)
