Wiki performance and apparent DDoS attack

Paul Spooren mail at aparcar.org
Wed Feb 26 12:59:44 PST 2025 

Hey Ted, 

Thanks for your work!

I suggested some changes over at devel[1] that would remove the expensive ToH and package views. If you have no concerns I’d move forward and announce my next steps on the other list.

Best,
Paul

[1]: https://lists.openwrt.org/pipermail/openwrt-devel/2025-February/043774.html



> On 21. Feb 2025, at 18:45, Ted Hess <thess at kitschensync.net> wrote:
> 
> Hi all -
> 
> Over the last month or so, I've been monitoring wiki web access and performance. Myself, and a couple others,  have a pretty good handle on site-scrapers, bots and LLM scavengers. We have instituted a number of rate-limiting, IP blocking and UA blocking rules. This action had greatly reduced the load on the wiki.
> 
> Recently, the site has been overloaded again with certain ToH queries which have long running times and were timing out. Failures were logging Nginx 499 (proxy or client timeout) errors for the PHP-FPM processes. Perhaps these queries were lost in the noise created by other bots. It was the sheer number of 499 errors that got my attention. Analyses on our logs showed >1,.5M timeouts/day on a single page with varying query strings. The accesses looked like legitimate browser queries from Windows platforms - I believe this to be totally bogus. Attempts at rate-limiting access to this page based on IP address was not very successful. It turns out that over 1M of these queries are from unique IP address within >8K subnets located around the world.
> 
> This is definitely an application level DDoS attack. As of today, I have blocked all access and turned off logging for queries to the ToH Performance page. Enjoy the new found responsiveness of the wiki ;)
> 
> /ted
> 
> 
> _______________________________________________
> openwrt-adm mailing list
> openwrt-adm at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-adm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.openwrt.org/pipermail/openwrt-adm/attachments/20250226/c8178b10/attachment.sig>

More information about the openwrt-adm mailing list