Article

2004-05-12

Archived material is restricted to Rantburg regulars and members. If you need access email fred.pruitt=at=gmail.com with your nick to be added to the members list. There is no charge to join Rantburg as a member.

Posted by Fred 2004-05-12 11:36:59 AM|| || Front Page|| [3 views since 2007-05-07] Top

#1 Is the DOS attack responsible for the huge number of people online? I've been seeing numbers like 1505 and 1643 last night and this morning, where I'd normally expect around 200. I was wondering if there's a way to make use of this data for recognizing an attack and applying defensive measures...just curious.

Posted by mft 2004-05-12 11:50:17 AM|| 2004-05-12 11:50:17 AM|| Front Page Top

#2 Time to hit the tip jar.

Posted by 11A5S 2004-05-12 11:50:35 AM|| 2004-05-12 11:50:35 AM|| Front Page Top

#3 DOS attack against Rantburg. Huge number of Barely Literate Defenders of Islam(tm) at jihadwatch. Trolls crawling all over Tim Blair's site.

Sounds like Islam had a bad day yesterday and are doing their best to keep people from knowing it.

Posted by Robert Crawford 2004-05-12 11:52:26 AM|| [http://www.kloognome.com] 2004-05-12 11:52:26 AM|| Front Page Top

#4 I think it was a definite DOS attack. But we can handle a couple thousand people online at a time. We can't handle all of them doing terrible things to the database at once.

Now I can spend another week or two programming...

Posted by Fred 2004-05-12 12:00:46 PM|| 2004-05-12 12:00:46 PM|| Front Page Top

#5 Jihad Watch is down.

Posted by Seafarious 2004-05-12 12:10:56 PM|| 2004-05-12 12:10:56 PM|| Front Page Top

#6 Since the DOS attacks started when the Nick Berg beheading became news, copy yesterdays posts about Nick to today. I also urge readers to look at yesterday's posts to see what stuck such a burr up the Islamists @$$es.

Posted by ed 2004-05-12 12:15:46 PM|| 2004-05-12 12:15:46 PM|| Front Page Top

#7 Two things: First, I submitted a link to "Page 2" yesterday, but it seems to have gone into the memory hole. Second, I guess this pretty much kiboshes my suggestion that search be opened up to the comments.

Posted by Phil Fraering 2004-05-12 12:34:53 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 12:34:53 PM|| Front Page Top

#8 Fred, lemme help...

If you have access, gimme your IP logs, let me sort them out nice and neat into a database. I will mail the analysis back to you.

Also, would a mirror help? At all?

Mail to at stavka@rkka.org

Posted by badanov 2004-05-12 12:59:58 PM|| [http://www.rkka.org] 2004-05-12 12:59:58 PM|| Front Page Top

#9 Fred -
badanov seems to be making the same suggestion I did in my EMail, and seems to have the facilities to help. You gotta analyze the IPs, then research in arin.net to further complete your detective work.

Posted by BigEd 2004-05-12 1:52:57 PM|| 2004-05-12 1:52:57 PM|| Front Page Top

#10 It will take me four days tops for an analysis of ALL the ips rehardless of the size of the IP logs. (unless they logs files are in the gigabytes, then I will have to make more room.)

I do this for my home website and I can do this for you.

No charge.

Posted by badanov 2004-05-12 1:56:09 PM|| [http://www.rkka.org] 2004-05-12 1:56:09 PM|| Front Page Top

#11 Fred, also, I can setup an immediate, readonly mirror to rantburg on my home web server. Can get it up to refresh every ten mins. Its not pretty, but with a little editing the script can make a mirror look just like your site.

Posted by badanov 2004-05-12 1:58:03 PM|| [http://www.rkka.org] 2004-05-12 1:58:03 PM|| Front Page Top

#12 Badanov, it wouldn't take much in terms of wrapping a script around the "wget" command to set up a regularly upgraded mirror, although you'd need to do work to figure out how to keep the mirror daemon from becoming part of the problem during a DDOS attack; maybe have it cued from the main server when the load drops below a certain point?

You'd probably also want some sort of limit into how deep the recursive-web-suck goes, because of server load problems. Again, wget could handle translation of url's so that hitting "browse" would bring up your copy of most recent comments page.

I do not know how to get it to only translate some url's so that comment form requests go back to the original page; that would require that it be selective.

(Hmm. If Fred changed things so that there was a "rantburg-master.com" domain name that mapped to the same machine as rantburg.com, and used that for the url for the comments form, but rantburg.com for everything else, that would let the whole page be mapped across different servers.

There could be rantburg-1.com in Alaska, rantburg-2.com in Houston (or wherever), and rantburg-3.com somewhere else, all mirroring rantburg.com (with url translation), but you'd need to use rantburg-master.com (which would map to the same machine as rantburg.com) in order to post a story, a link, or a comment.

Or just have a rantburg.com that's the mirror, or a collection of mirrors, served round-robin, and a rantburg-master.com that can only be accessed from the mirrors plus a preapproved list of IP addresses.

With luck, this could be set up to use commodity hardware... imagine using $ 100.00 surplus linux boxen for the mirrors, which are just dishing out static content, and use an expensive windows box to drive the main engine.

Is any of this making sense?

Posted by Phil Fraering 2004-05-12 3:45:04 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 3:45:04 PM|| Front Page Top

#13 11A5S says: "Time to hit the tip jar."

I'll second that. Consider it done.

Give what you can, Rantburgers - we need to keep this news source on line, and support Fred as he does it.

Posted by Barbara Skolaut 2004-05-12 4:04:03 PM|| 2004-05-12 4:04:03 PM|| Front Page Top

#14 Is any of this making sense?

You lost me at Badanov.

Posted by Steve 2004-05-12 4:20:51 PM|| 2004-05-12 4:20:51 PM|| Front Page Top

#15 I've got Apache 2 on the server. I've been thinking (ow! my head!) in terms of rewriting the whole site in PHP as a "backup." That way, articles will be going to the same database, and searches (when I turn them back on) will still work, though internal links wouldn't work. Problems on IIS would be handled by turning it off, without losing site availability. I could handle the switchover fairly transparently by just switching the port assignments on the two servers. Only problem would come if there was a database crash, but with MySQL that's pretty to fix.

I think that makes sense...

Posted by Fred 2004-05-12 4:32:52 PM|| 2004-05-12 4:32:52 PM|| Front Page Top

#16 Well, I thought that my suggestion would be helpful in that it wouldn't involve reprogramming the whole mess, but just changing three sets of url's (post a comment, post an article, post a link) to point to (for instance) master.rantburg.com, and having a router redirecting requests to "rantburg.com" to journeyman1.rantburg.com, journeyman2.rantburg.com, et cetera... it could be done without massive changes to the code base, and would let you start sharing part of the load right away to donated-ware like the sun server someone mentioned earlier.

(On reflection, I think the master.rantburg.com and journeyman-x.rantburg.com domain name thing would work better than my previous scheme; it wouldn't require buying any new domain names.)

If the windows version you're using has long filenames and a variant of the "wget" command, it could do it instead.

Posted by Phil Fraering 2004-05-12 4:50:41 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 4:50:41 PM|| Front Page Top

#17 Phil, just a simple GET, grabs all the comments and all the articles including the highlighting. The value of this is that even if a prick does try an attack, the mirror page will back up all fat and happy, smiling at the little brigand(s) the whole time.

Of course, no one will be able to comment on the mirror, but at least the files and the comments that do get through will be posted. In fact I can do a minimal mirror as a demo to show you all, and I can replicate it on my home server as well as rkka.

I will do that in the next few hours and post the link. I will bring it down at Fred's request, as it is only a demo.

Oh, and Fred: I use PostgreSQL db in my family's business, so if you do rewrite it all in php I can definitely setup a true mirror on my home server and on rkka. RKKA uses mysql, so it will be easy. Aaron uses the mysql on rkka for his mirror.

Posted by badanov 2004-05-12 6:40:37 PM|| [http://www.rkka.org] 2004-05-12 6:40:37 PM|| Front Page Top

#18 Well, Badanov, the specific command syntax I was thinking of was:

wget --restrict-file-names=unix -E -r -l 2 -k -K

This should get everything on page 1, page 2, yesterday's page 1, and nothing more.

(Note that setting l to zero basically disables it, and sucks the whole rantburg database down. As Egon says, "that would be bad." If the load ever drops I'll ask Fred if I could do the experiment as stress testing, but given the current situation I think I'll just procrastinate for now.)

If your "get" command isn't doing translation or a recursive download of at least a couple layers deep then it'll probably be going to the server when the user clicks on "browse," if that's what he has to do to read comments, or it'll have gaps in its coverage.

Posted by Phil Fraering 2004-05-12 7:28:52 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 7:28:52 PM|| Front Page Top

#19 Uh, forget what I just said.

It starts grabbing more than it should because of the links off to the side, of the two weeks of the war on terror. It starts getting the whole pages for those days... and I killed the process before it got around to doing the translation of the links. I'm going to try l=1 and hopefully that'll keep everything in check.

Posted by Phil Fraering 2004-05-12 7:40:55 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 7:40:55 PM|| Front Page Top

#20 Phil, wget or raw GET the output will have to be filtered through a perl script to replace the recursive references to the get request with the real references back to rantburg.

I have a test page up now at:
This location

The trick will be the regex routine that will do the substitutions. If I dont figure it out in the next coupla hours, I will be forced to use sed and gawk :oD

As you can see, it isn't pretty, but it gets the job done.

Posted by badanov 2004-05-12 7:54:36 PM|| [http://www.rkka.org] 2004-05-12 7:54:36 PM|| Front Page Top

#21 I have done further reading of the man page for wget, and I found an option that will limit the amount of bandwidth it uses as it downloads, which would be useful to keep from melting the server.
I think I'll set it to dialup speeds for now.
(Note: the option doesn't work on small files, but on larger ones instead.)

There's also an option that will keep from downloading files that haven't changed, but in order for that to work the web server has to allow timestamps in the header, which according to the last run rantburg currently doesn't have on everything, probably because they're dynamic content ASP pages. (doh!)

I can also tell it to ignore url's that match the wildcard *comment*.

Posted by Phil Fraering 2004-05-12 7:59:14 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 7:59:14 PM|| Front Page Top

#22 Phil, it makes much more sense and far simpler just to tell GET to grab the current page, filter it though a script that either refers to a local page to tell the user the mirror is read only, OR have the script rewrite the output to change the recursive elements back to rantburg.com.

Recursive elemnts I refer to are where standard output rewrites the rantburg references to the local server. I want to filter that output to write the file as it is reading the page with the corrected URLs or a local page reminding ther user, the page is readonly, and that they will have to go to rantburg to post any comments.

You are probablyt aware regex in any *n*x product often behaves funny sometimes. It may take awhile before I get it up to a decent mirror.

Posted by badanov 2004-05-12 8:06:26 PM|| [http://www.rkka.org] 2004-05-12 8:06:26 PM|| Front Page Top

#23 Badonov, I just finally got a successful 1-level grab, and will try to get a 2-level now. Wget did the translation correctly, going to the local directory for files that were local, but connecting to rantburg.com if you wanted to make your own comment.

(The last iteration of the command I did was:

" wget --restrict-file-names=unix -E -r -l 1 -k -K -N --limit-rate=10k -L --reject *comment* http://rantburg.com"). I'm going to try -l 2 now, since it seems to work and everything doesn't melt, and I'm not downloading the comments links. With this, hopefully, you won't have to write the perl script.

Let me see if there's a place I can put it up to show you, or maybe send you the tarfile of the resulting directory tree if you want.

Posted by Phil Fraering 2004-05-12 8:22:52 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 8:22:52 PM|| Front Page Top

#24 And, as another memo-to-self... you probably want to exclude files that match *jmailer* .

Fred, if you're still reading this and not bored to tears yet, is it viable to slip in some sort of timestamp header into the asp server, so that mirroring software would only be fetching changed pages?

Posted by Phil Fraering 2004-05-12 8:45:38 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 8:45:38 PM|| Front Page Top

#25 Mission accomplished.

The mirror is up here.

Phil, I used the -m directive and I have it on cron to refresh every ten mins.

Check it out for problems. If there are no problems with the mirror, I will add it to rkka under a rantburg directory in a day or so.

Fred, if this is a problem lemme know.

Phil, thanks for the pointers/tips. I am dangerous now :o)

Posted by badanov 2004-05-12 9:22:49 PM|| [http://www.rkka.org] 2004-05-12 9:22:49 PM|| Front Page Top

#26 you guys are beyond me, but if it keeps my RB Jones'n at bay, THANK YOU!

Posted by Frank G 2004-05-12 9:28:39 PM|| 2004-05-12 9:28:39 PM|| Front Page Top

#27 Hopefully this will close my input into the matter:

Phil, here is the directive I used.

wget restrict-file-names=unix -m -k -o /several/directories/down/index.htm rantburg.com

BTW, this mirror is hosted on a $50 Penitum 166 box.

Posted by badanov 2004-05-12 9:30:17 PM|| [http://www.rkka.org] 2004-05-12 9:30:17 PM|| Front Page Top

#28 Holy smokes badanov, that's good! Fred, can we keep it??

Posted by Rafael 2004-05-12 9:33:43 PM|| 2004-05-12 9:33:43 PM|| Front Page Top

#29 OK, after yet further reading and experimenting (going slowly, because I'm limiting the runs to data rates of about 10k to keep from melting the main server), I'm excluding *rchive*,*Mailer*,*comment.asp*, and running with the noclobber option. If I don't, it starts downloading a *whole bunch* of stuff OVER AND OVER AGAIN. (Which is also why you probably want to do -k and -K). You definately don't want to do l=inf; I don't know why that isn't blowing up on you.

And now I have to get back to my other projects.

Posted by Phil Fraering 2004-05-12 9:42:56 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 9:42:56 PM|| Front Page Top

#30 I ruled out the -l option early on.

The -K option affects backup and from the purpose of a simple mirror, I rely on Fred for backups.

I will watch it and make sure it doesn't blow up on me, but it seems to be pretty stable at this point.

And if the server itself blows up, well, I guess I will have to pony up a few bucks for a new penitum 1 server. I am pretty sure the critical component, the hard drive, will survive.

Anyways, thanks so much for your help. Phil. I learned something today. You are awesome, and I appreciate the lesson.

Funny how a fifty year old can still learn things.

Posted by badanov 2004-05-12 9:55:25 PM|| [http://www.rkka.org] 2004-05-12 9:55:25 PM|| Front Page Top

#31 Oh, and yet another final note... I can't tell for sure, but it seems that the rantburg database refers to the same date in different server directive formats, which gets downloaded as two different files.

In the version of wget I'm using, -m implies -l inf. It might not on yours. I'm wondering if you could mail me the man page for your version. The version on my machine is gnu wget 1.9.1.

And I suggest holding off on putting it on any cron jobs until we're sure it's safe.

And I just found another big bug... I'm afraid we're going to have to shelf this experiment.

On second thought, maybe we should just put this off until the weekend, when I'll have time to mess with it?

Posted by Phil Fraering 2004-05-12 10:06:56 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 10:06:56 PM|| Front Page Top

#32 No good.

I am traveling to Florida to see my daughter graduate from high school. I will be gone for several days I do have remote access to the server though and I can keep an eye on it when I am away.

So far, the cron job isn't doing anything funny I can tell. The resulting outfile is pretty big already but that can be fixed by killing the process, deleting the file, at a low activity time for the server.

Posted by badanov 2004-05-12 10:19:17 PM|| [http://www.rkka.org] 2004-05-12 10:19:17 PM|| Front Page Top

#33 and I just saw Badanov's last message; I should have pointed out, I didn't mean to use --limit-rate to keep from blowing up your server. I meant it to be used to keep from blowing up Fred's server.

It also gives you time to stop things if it starts downloading the previous year.

I'm learning this as I go along myself, so don't be too impressed with me.

And what I'm watching with the last attempt is that it's downloading the same article multiple times under different id's (with or without the date, or with the date in different format, plus the article ID in itself, which is a 5-digit number.

It looks like Fred was originally right, and that a proper mirror would have to involve an understanding of the database.

Posted by Phil Fraering 2004-05-12 10:32:01 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 10:32:01 PM|| Front Page Top

#34 If you need help, Linux, Apache, PHP, Perl and MySQL is how I am making spending cash (living comes from trips to the mailbox for money from my old employer and uncle).

Posted by OldSpook 2004-05-12 10:40:32 PM|| 2004-05-12 10:40:32 PM|| Front Page Top

#35 well if it becomes a problem I can stop mirroring, but the way I understand wget, the only thing it does is to get all the data in a website at the moment it was scanned and nothing more.

Which to me means, that even if Fred's mysql db does fail, the only effect for any mirrors should be new content will be delayed, as the db hasn't displayed it yet.

If you think this may blow up on my on Fred's end I will take the whole works down now.

But I am pretty sure that were Fred to suffer another DOS attack the mirror(s) will only display the last update, and will not be affected by any other processes on his server.

I will wait until after I get back from FLA to do this on the more critical rkka site, but I am pretty confidence the only issue on my end will be how large the index page gets over a 24 hour eriod.

We'll have to see.

Posted by badanov 2004-05-12 10:40:53 PM|| [http://www.rkka.org] 2004-05-12 10:40:53 PM|| Front Page Top

#36 As long as it's not getting more than one level it shouldn't be blowing up and should be safe. I can't get runs of wget with l <> 1 to complete in a reasonable time.

Posted by Phil Fraering 2004-05-12 10:46:46 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 10:46:46 PM|| Front Page Top

#37 Phil, forget the -l switch. I think that only affects true htm pages, not asp setups like Fred's.

The -m option, according to the man page (btw I am running RH 7.3 wget 1.8.1) overrides several older options available, and it appears as long as the output is directed to a single file with no backups, it just appends and keeps going.

Actually, if an oversized dump file is the only thing I have to worry about, I am pretty excited about getting a second mirror going on rkka.

but I will wait a bit to see what issues crop up.

Posted by badanov 2004-05-12 10:56:48 PM|| [http://www.rkka.org] 2004-05-12 10:56:48 PM|| Front Page Top

#38 Ah. I just realized that the difference isn't quite the l=x option, but it doesn't kick in unless you use -r, which you apparently aren't.

On 1.9.1, -m is equivalent to -r -N -l inf -nr .

Posted by Phil Fraering 2004-05-12 11:12:43 PM|| [http://newsfromthefridge.typepad.com] 2004-05-12 11:12:43 PM|| Front Page Top

#39 OK ... so when I'm over in Badanov's mirror, am I in a suburb of Rantburg or what?

Posted by Seafarious 2004-05-12 11:49:22 PM|| 2004-05-12 11:49:22 PM|| Front Page Top

#40 No, when you access my mirror you are in a copy of rantburg between 0 and ten minutes old. You can browse pages, and reply to comments, and your replies will be directed to rantburg's pages, as the db rests with Fred's site.

The reasoning behind having a mirror of a single site is Fred's site, in the event of an attack is that there will be something of the site up and ready.

Of course, rantburgers in the know will have to be aware of mirrors to be able to continue reading what does get though, and posting will be slow, but the mirrors can also take up the slack in such times.

My little server probably won't be able to handle much traffic, but it will handle some of it.

When I get back from my trip I will make a new mirror on my rkka site. One or two more mirrors and rantburg is hardened from DOS attacks.

Posted by badanov 2004-05-12 11:56:29 PM|| [http://www.rkka.org] 2004-05-12 11:56:29 PM|| Front Page Top

#41 Did I tell you guys about the UFO I saw?

Posted by Lucky 2004-05-13 12:20:00 AM|| 2004-05-13 12:20:00 AM|| Front Page Top

04:09 yorgos
00:33 Lucky
00:20 Lucky
23:58 Long Hair Republican
23:57 Barbara Skolaut
23:56 badanov
23:49 Seafarious
23:33 Barbara Skolaut
23:25 Barbara Skolaut
23:24 Barbara Skolaut
23:19 Mr. Davis
23:19 cheaderhead
23:19 Barbara Skolaut
23:18 Mr. Davis
23:12 Phil Fraering
23:10 B
23:09 Atomic Conspiracy
23:07 Anonymoose
23:00 B
23:00 Atomic Conspiracies
22:56 badanov
22:55 Anonymous4809
22:52 Classical_Liberal
22:48 Steve White