[racket-dev] DOS attack on planet?
I just looked into that, and it seems that there's something bad going
on with some machine at BYU which started yesterday. (Ping: Jay.)
The offending traffic comes from "fltr5.byu.edu", at a very high rate.
The new log file for the week had started at 2013-09-22 03:40 local
time (about 12.5 hours ago) with 92000 queries for this period, and
85% of this traffic (about 78k, about a 100 hits per second) is coming
from this BYU IP. Looking back, it seems that it's something recent
that had started just yesterday, so whatever it is, it's new. Most of
the traffic is basically a repeating loop of these 8 lines, shown below.
(I will restart the server now, in an attempt to get whatever it is
that causes this mess to crash.)
128.187.97.22 - - [22/Sep/2013:03:49:17 -0400] "GET /servlets/pkg-info.ss HTTP/1.1" 200 5650 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:18 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22dracula.plt%22&maj=1&min-lo=0&min-hi=%23f&path=%28%22cce%22%29 HTTP/1.1" 404 79 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:18 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22dracula.plt%22&maj=2&min-lo=0&min-hi=%23f&path=%28%22cce%22%29 HTTP/1.1" 404 79 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:18 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22dracula.plt%22&maj=5&min-lo=0&min-hi=%23f&path=%28%22cce%22%29 HTTP/1.1" 404 41 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:18 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22drocaml.plt%22&maj=1&min-lo=0&min-hi=%23f&path=%28%22abromfie%22%29 HTTP/1.1" 404 79 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:18 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22fasttest.plt%22&maj=1&min-lo=0&min-hi=%23f&path=%28%22cce%22%29 HTTP/1.1" 404 79 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:19 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22xmlrpc.plt%22&maj=3&min-lo=0&min-hi=%23f&path=%28%22schematics%22%29 HTTP/1.1" 404 79 "-" "-"
128.187.97.22 - - [22/Sep/2013:03:49:19 -0400] "GET /servlets/planet-servlet.ss?lang=%225.90.0.9%22&name=%22bystroTeX.plt%22&maj=1&min-lo=0&min-hi=%23f&path=%28%22amkhlv%22%29 HTTP/1.1" 200 63508 "-" "-"
30 minutes ago, Robby Findler wrote:
> I don't think that the planet server itself doesn't keep enough
> information to say much about this, but the requests come via apache
> so there might be more information in a log file at that level that
> Eli might be able to tell us about.
>
> I do see lots of requests coming in for packages, tho. In addition
> to yours, dracula.plt fasttest.plt, drocaml.plt, and xmlrpc.plt seem
> to be being continuously asked for.
>
> Robby
>
> On Sun, Sep 22, 2013 at 12:40 PM, Andrei Mikhailov <a.mkhlv at gmail.com> wrote:
>
> Sorry if I am rising a false alarm. I noticed that there is a massive
> download of my package
> called bystroTeX : http://planet.racket-lang.org/display.ss?package=
> bystroTeX.plt&owner=amkhlv
> All the downloads are of the (old) version 1.6
>
> What is going on?
> Is it possible to figure out who downloads it?
--
((lambda (x) (x x)) (lambda (x) (x x))) Eli Barzilay:
http://barzilay.org/ Maze is Life!