http spammer causing DDoS via Proxies resulting in dead server ... CLOSE_WAIT etc

Lord Matt · 04-06-2008, 06:02 AM

What seems to be killing me is the number of child processes in such statuses as LAST_ACK, CLOSE_WAIT and TIME_WAIT - I need to be able to recycle those resources faster to keep up with the spammers resource sucking.

I've only been learning about these things these last few days (3 day DDoS from http comment/trackback spam on a dedicated server) and while I am unsure what LAST_ACK might be the huge number of CLOSE_WAIT from those proxy connections is choking the server.

Is there anything I can do about this?

unSpawn · 04-08-2008, 08:57 AM

Quote:

Originally Posted by Lord Matt

What seems to be killing me is the number of child processes in such statuses as LAST_ACK, CLOSE_WAIT and TIME_WAIT

Search LQ, there's some threads about .*_WAIT state problems that talk about lowering values in net.ipv4.netfilter.ip_conntrack_tcp_timeout_* and net.ipv4.tcp_* sysctls, httpd.conf tuning and iptables modules. However most of it deals with remedying symptoms, not the cause.

Quote:

Originally Posted by Lord Matt

I've only been learning about these things these last few days (3 day DDoS from http comment/trackback spam on a dedicated server)

Maybe it goes against your idea of what the 'net should provide (and captcha-reading bots could work around this) but maybe start by stopping the cause? Like denying anonymous commenting?