From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <overseers-return-6741-listarch-overseers=sources.redhat.com@sources.redhat.com>
Received: (qmail 7966 invoked by alias); 6 Apr 2004 16:34:54 -0000
Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Archive: <http://sources.redhat.com/ml/overseers/>
List-Post: <mailto:overseers@sources.redhat.com>
List-Help: <mailto:overseers-help@sources.redhat.com>,
	<http://sources.redhat.com/ml/#faqs>
Sender: overseers-owner@sources.redhat.com
Received: (qmail 7900 invoked from network); 6 Apr 2004 16:34:46 -0000
Received: from unknown (HELO yosemite.airs.com) (209.128.65.135)
  by sources.redhat.com with SMTP; 6 Apr 2004 16:34:46 -0000
Received: (qmail 2058 invoked by uid 10); 6 Apr 2004 16:34:45 -0000
Received: (qmail 5364 invoked by uid 500); 6 Apr 2004 16:34:36 -0000
Mail-Followup-To: dje@watson.ibm.com,
  overseers@sources.redhat.com,
  jifl@eCosCentric.com
From: Ian Lance Taylor <ian@wasabisystems.com>
To: Jonathan Larmour <jifl@eCosCentric.com>
Cc: David Edelsohn <dje@watson.ibm.com>, overseers@sources.redhat.com
Subject: Re: htdig and sources.redhat.com loadavg
References: <200404051849.i35InoT27980@makai.watson.ibm.com>
	<20040405205147.GA21949@coc.bosbc.com>
	<200404061449.i36EnaT32792@makai.watson.ibm.com>
	<4072D85D.3000101@eCosCentric.com>
Date: Tue, 06 Apr 2004 16:34:00 -0000
In-Reply-To: <4072D85D.3000101@eCosCentric.com>
Message-ID: <m37jwt9iar.fsf@gossamer.airs.com>
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-SW-Source: 2004-q2/txt/msg00060.txt.bz2

Jonathan Larmour <jifl@eCosCentric.com> writes:

>  From a brief poke myself (and I'm no overseer) I'd hazard a guess it
> may be more to do with the 17 simultaneous cvs checkouts as well as 2
> rsyncs and a couple of ftps. netstat also seems to be reporting a TCP
> SYN attack from tproxy1.NTCU.net (62 sockets in SYN_RECV state).
> 
> I don't know about the "supervise" thingy but I know xinetd has a
> "max_load" parameter that could be used to e.g. deny anonymous (not
> logged in) cvs over a certain load (since having 10 cvs operations
> complete two times is better than 20 cvs operations taking nearly
> forever).

We only permit 10 simultaneous anonymous CVS connections.  However,
there is no limit on the number of CVS operations performed via ssh,
and there are several hundred people with ssh access.

The number of connections from 211.76.240.245 is interesting.  I count
39 connections at the moment, all to port 80.  Looking at the HTTP
logs, though, I don't think it is a TCP_SYN attack.  I think somebody
is downloading the cygwin.com web site, including all the mailing list
messages.

Ian