Thanks, Tim. Can you find an example to display a SYN attack in Ganglia? I looked at Wiki
Ganglia displays, but no example was apparent.
It would help the majority if an example of the attack pattern were displayed.
No opinion on the case in this instance, but more information is better decision making.
:D
On Apr 22, 2013, at 2:33 AM, Tim Starling wrote:
On 22/04/13 15:34, Stephen Villano wrote:
First, has there been any configuration changes
shortly before the
problem began? The first rule is "look for stupidity", as in an
error in configuration causing a self-DOS. Many of us have done
that to ourselves, to our embarrassment. If not, go with Tim's
suggestion and also look at squid's logs. Are you getting requests,
but no full session (syn flood)?
I'm on your site periodically. It's normally smoothly running,
since you went with Linode. The site is overall well behaved.
However, it is one that could easily become the target of a script
kiddie. So, do you have SYN cookies turned on?
Most kinds of DoS attack, including SYN flooding, can be seen in
Ganglia as a sharp increase in inbound network traffic, especially as
measured by packet count (pkts_in).
SYN cookies are definitely a good idea, regardless of whether an
attack is underway. They are enabled by default in Ubuntu.
-- Tim Starling
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l