On 23/03/07, Jeff V. Merkey <jmerkey(a)wolfmountaingroup.com> wrote: Be a top-10 website that could slashdot other sites if it wanted to? :-)

- d. _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l

Block all involved IPs at the firewall. It's a workable solution as long as you can identify the problem requests in your logs. It's entirely feasible to block thousands of IP addresses in this way. Per-IP limits such as apache's mod_throttle will also help, as will system optimisation and caching.

Tim Starling wrote: Already started. Didn't help. I ended up blocking thousands of ranges and they just kept cloning Zombies from new ranges faster than I could enter them. Throttling seems to make sense however. I changed the cache settings on the squid proxy servers this morning -- it helped. They are slowing down. I guess the person doing it is getting bored, I am 99% certain based on a single Russian IP address (which I know was being used to monitor the attack and its progress) that I blocked who is doing this. It's the guy running GNAA -- the one who called me one night and posted an MP3 of the conversation online and on the GNAA website and the Wikipedia chatroom. When I blocked his "monitoring IP Address" he got really pissed and intentified the attack. The Russian Guy who works at a software company by day and trolls the internet by night. He lives somewhere in Oregon, and runs these attacks from bot-nets all over the world. At any rate, the network is stable and holding its own. I wrote a port 80 shim last night that throttles IP traffic by address range and shunted to over to the main Web Server at about 11:00 p.m. I was unaware apache had something similiar. I'll look at it and get it enabled. Jeff >-- Tim Starling

On Fri, Mar 23, 2007 at 01:27:39PM -0800, George Herbert wrote: Wouldn't it be pretty to think so. Some pretty high-profile sites have tried this approach to DOS attacks in the past, I'm told. Not much came of it, except that some people got to be laughed at by Special Agents on the phone. In general, unless there are at least 6 digits in the amount of money someone's stealing from you, and preferably 7, the FBI hasn't proven to be really interested. Maybe someone should call Scott Bakula, instead. Cheers, -- jra