From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2002 invoked by alias); 7 Apr 2004 02:58:30 -0000 Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm Precedence: bulk List-Archive: List-Post: List-Help: , Sender: overseers-owner@sources.redhat.com Received: (qmail 1786 invoked from network); 7 Apr 2004 02:58:27 -0000 Received: from unknown (HELO RERELAY.conquestis.com) (63.144.52.41) by sources.redhat.com with SMTP; 7 Apr 2004 02:58:27 -0000 Received: from timesys.com ([66.230.74.196]) by RERELAY.conquestis.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 6 Apr 2004 22:57:28 -0400 Received: by timesys.com (Postfix, from userid 201) id 35C81400028; Tue, 6 Apr 2004 22:58:25 -0400 (EDT) Date: Wed, 07 Apr 2004 02:58:00 -0000 From: Christopher Faylor To: overseers@sources.redhat.com Subject: Re: htdig and sources.redhat.com loadavg Message-ID: <20040407025825.GD15576@coc.bosbc.com> Mail-Followup-To: overseers@sources.redhat.com References: <200404051849.i35InoT27980@makai.watson.ibm.com> <20040405205147.GA21949@coc.bosbc.com> <200404061449.i36EnaT32792@makai.watson.ibm.com> <4072D85D.3000101@eCosCentric.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-OriginalArrivalTime: 07 Apr 2004 02:57:28.0281 (UTC) FILETIME=[0FE27C90:01C41C4C] X-SW-Source: 2004-q2/txt/msg00085.txt.bz2 On Tue, Apr 06, 2004 at 12:34:36PM -0400, Ian Lance Taylor wrote: >Jonathan Larmour writes: > >> From a brief poke myself (and I'm no overseer) I'd hazard a guess it >> may be more to do with the 17 simultaneous cvs checkouts as well as 2 >> rsyncs and a couple of ftps. netstat also seems to be reporting a TCP >> SYN attack from tproxy1.NTCU.net (62 sockets in SYN_RECV state). >> >> I don't know about the "supervise" thingy but I know xinetd has a >> "max_load" parameter that could be used to e.g. deny anonymous (not >> logged in) cvs over a certain load (since having 10 cvs operations >> complete two times is better than 20 cvs operations taking nearly >> forever). > >We only permit 10 simultaneous anonymous CVS connections. However, >there is no limit on the number of CVS operations performed via ssh, >and there are several hundred people with ssh access. > >The number of connections from 211.76.240.245 is interesting. I count >39 connections at the moment, all to port 80. Looking at the HTTP >logs, though, I don't think it is a TCP_SYN attack. I think somebody >is downloading the cygwin.com web site, including all the mailing list >messages. That's usually a sign of a spammer grabbing email addresses. I've been turning off access when I notice that. I have a script "/home/cgf/bin/wwwstat" which shows connections by IP address that I run periodically, looking for this type of thing. cgf