* Something's hammering cvsweb.
@ 2003-10-29 5:29 Phil Edwards
2003-10-29 7:44 ` Jonathan Larmour
2003-10-29 14:54 ` Christopher Faylor
0 siblings, 2 replies; 3+ messages in thread
From: Phil Edwards @ 2003-10-29 5:29 UTC (permalink / raw)
To: overseers
After someone complained of CVS refusals due to the load being too high,
I looked briefly and found that scads of cvsweb.cgi processes had driven
the load into the high 50's. Here's a snippet:
apache 25646 6.0 0.1 5356 3592 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20010122
apache 25647 8.6 0.1 5244 3480 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20001030
apache 25649 8.6 0.1 5356 3592 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20010115
apache 25684 6.6 0.1 4976 3188 ? R 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20000417
apache 25685 6.3 0.1 4980 3192 ? R 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=hammer-3_3-merge-20030414
apache 25692 8.3 0.1 5276 3512 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20001106
apache 25693 8.0 0.1 5236 3472 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=merged-arm-thumb-backend-merge_20000113
apache 25694 9.0 0.1 5352 3588 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20010625
apache 25696 10.0 0.1 4976 3188 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20000717
apache 25698 10.0 0.1 4976 3188 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=egcs_ss_980214
Note the start time; they're all being fetched simultaneously. (My guess
is some bizarre spambot trying to do every combination of form-fillout
with the drop-down list of tags.) At any rate, it's a very effective DoS.
--
LUKE: Is Perl better than Python?
YODA: No... no... no. Quicker, easier, more seductive.
LUKE: But how will I know why Python is better than Perl?
YODA: You will know. When your code you try to read six months from now.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Something's hammering cvsweb.
2003-10-29 5:29 Something's hammering cvsweb Phil Edwards
@ 2003-10-29 7:44 ` Jonathan Larmour
2003-10-29 14:54 ` Christopher Faylor
1 sibling, 0 replies; 3+ messages in thread
From: Jonathan Larmour @ 2003-10-29 7:44 UTC (permalink / raw)
To: Phil Edwards; +Cc: overseers
Phil Edwards wrote:
> After someone complained of CVS refusals due to the load being too high,
> I looked briefly and found that scads of cvsweb.cgi processes had driven
> the load into the high 50's. Here's a snippet:
[snip]
>
> Note the start time; they're all being fetched simultaneously. (My guess
> is some bizarre spambot trying to do every combination of form-fillout
> with the drop-down list of tags.) At any rate, it's a very effective DoS.
I'm distracted enough to have a peek out of curiousity: here's an entry
from gcc.gnu.org's log:
61.250.89.149 - - [29/Oct/2003:07:36:59 +0000] "GET
/cgi-bin/cvsweb.cgi/gcc/install-sh?only_with_tag=ra-merge-20020521
HTTP/1.0" 200 143991 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;
DigExt; empas)"
The address is assigned to "jobkorea.co.kr" whoever they are, and DigExt
can be found mentioned here which indicates it's a web crawler
http://www.webmasterworld.com/forum11/2141.htm and more specifically:
"digext is the crawler for IE's "make available offline" mode. Also known
as subscriptions."
Another thing says: "DigExt is a common string that the IEAK
(Internet Explorer Administration Kit) put in when you customise an install,"
Certainly other people indicate it hammers servers. Some people wrote
throttling scripts to detect this type of thing. But I guess someone will
be along shortly to bar them entirely instead ;).
Jifl
--
eCosCentric http://www.eCosCentric.com/ The eCos and RedBoot experts
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Something's hammering cvsweb.
2003-10-29 5:29 Something's hammering cvsweb Phil Edwards
2003-10-29 7:44 ` Jonathan Larmour
@ 2003-10-29 14:54 ` Christopher Faylor
1 sibling, 0 replies; 3+ messages in thread
From: Christopher Faylor @ 2003-10-29 14:54 UTC (permalink / raw)
To: Phil Edwards; +Cc: overseers
On Wed, Oct 29, 2003 at 12:29:31AM -0500, Phil Edwards wrote:
>After someone complained of CVS refusals due to the load being too high,
>I looked briefly and found that scads of cvsweb.cgi processes had driven
>the load into the high 50's. Here's a snippet:
>
>apache 25646 6.0 0.1 5356 3592 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20010122
>apache 25647 8.6 0.1 5244 3480 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20001030
>apache 25649 8.6 0.1 5356 3592 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20010115
>apache 25684 6.6 0.1 4976 3188 ? R 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20000417
>apache 25685 6.3 0.1 4980 3192 ? R 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=hammer-3_3-merge-20030414
>apache 25692 8.3 0.1 5276 3512 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20001106
>apache 25693 8.0 0.1 5236 3472 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=merged-arm-thumb-backend-merge_20000113
>apache 25694 9.0 0.1 5352 3588 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20010625
>apache 25696 10.0 0.1 4976 3188 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=gcc_ss_20000717
>apache 25698 10.0 0.1 4976 3188 ? S 05:23 0:00 /usr/bin/perl -s /var/www/gcc/cgi-bin/cvsweb.cgi only_with_tag=egcs_ss_980214
>
>
>Note the start time; they're all being fetched simultaneously. (My guess
>is some bizarre spambot trying to do every combination of form-fillout
>with the drop-down list of tags.) At any rate, it's a very effective DoS.
It probably is a spambot since the robots.txt file is supposed to disallow
access to /cgi-bin/. I don't see any indication of a problem now but I'll
look over the logs later today.
In the meantime, I've tightened up the robots.txt on gcc.gnu.org to disallow
some of the more popular spambot user agents.
cgf
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-10-29 14:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-29 5:29 Something's hammering cvsweb Phil Edwards
2003-10-29 7:44 ` Jonathan Larmour
2003-10-29 14:54 ` Christopher Faylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).