Well. We had a little excitement at the blog last night. Excitement of the wrong kind, but all appears well now.
Bill St. Clair swiftly and accurately shifted ClaireWolfe.com yesterday from cranky, creaky JustHost to new HawkHost servers. I set the DNS change in motion (most everybody should be seeing the site on its new servers now or very shortly). And — zoom! — much faster. No 502 errors. Glory hallelujah! All problems solved.
Then. Shortly afterward I noticed memory usage creeping up. And creeping more. I contacted HawkHost support, which confirmed JustHost’s claim that these problems could be the result of bad scripts or memory-hogging plugins.
Oh no. Could JustHost have had an actual point?
In the evening I checked again and OMG, both physical memory usage and CPU usage were in dangerous territory. Memory use was at a shocking 96 percent. BIG TROUBLE. I alerted our tech geniuses, though it was probably too late at night for them to help. I began unplugging plugins, to no avail. I thought we were about to go offline. Or get shut down by our new host. How ironic. We move to get away from irritating troubles and end up with catastrophic ones.
But no. Shortly, the bad stats began dropping. They dropped below panic point but still remained high as I crawled into bed.
Later, in the dark middle of the night, Bill discovered that a single IP address had accessed the blog 32,000 times in short order. Not a DDoS attack, but not friendly, either.
This morning, I blocked that IP addy. But already all our stats looked blessedly “lite” again. JustHost’s boilerplate supposition that we’re running faulty scripts or committing chronic database overload was indeed false. Might look at some optimization, though.
Whew. Enjoy the speedy new site.
Claire, some tech trivia: we switched to HawkHost after our experience being DDOS’d back in 2010. I specifically wanted a host that ran LiteSpeed web server rather than Apache, because LiteSpeed is significantly faster at processing .htaccess files, and those are the first line of defense. (Well, the first line of defense that’s under our/your control, anyway.) I found that onslaughts that would bring Apache to its knees, were handled quite well by LiteSpeed.
Offhand I don’t recall if IP address blocks at HawkHost are implemented through .htaccess, or through some other mechanism.
We have two lines of defense after .htaccess, but that’s a story for another day.
What was the IP address sending the attack?
Good question, Rick. I’m going to leave it up to Bill whether we should state that or not. I know the IP addy but don’t have enough knowledge to have a clue as to whether it’s a good or bad thing to publicize it. He can say more about what happened, also, if he thinks it’s wise.
Good background, Brad. I’ve never had to deal with anything like that before. Knock wood we never will again, but I suppose these days that’s wishful thinking.
While I don’t believe what happened last night was a deliberate attack, it did very nearly knock us offline and clearly we need some first, second, and third-line defenses.
It was some random address in the Los Angeles area, unreported as a problem at robtex.com. Looked like one person who decided to aim wget or similar at the site.
I’d love to be able to impose hit rate limiting on each IP that visits. They should be able to pull CSS, JS, and image files at will, but be limited in how many HTML or PHP files they can access per unit time. This guy was doing multiple accesses per second.
NoScript blocked me from Continue Reading and Comments until I Allow[ed] Scripts Globally. After allowing, I went back to Forbid Scripts Globally, and suddenly I can now Continue Reading and Comments. Don’t know what happened to deny it, or why suddenly I can now link, but am glad its working without having to Allow Scripts.
I’d like to add that address to my rather large home server ban list if you will post it.
Hi Claire. You might consider doing geographic IP blocking. That has helped us at Countryplans.com a lot.