Wiki performance and apparent DDoS attack

Ted Hess thess at kitschensync.net
Wed Feb 26 13:24:52 PST 2025 

Hey Paul -

I saw your message on @devel list - I do read it. I say go for it.

I was hoping someone would help integrate @soif's work. I noticed your 
feedback in the OpenWrtToH repo yesterday also. Could we do an 
integration similar to how the current one is hosted?

While you are at it, the wiki base needs upgrading too. I'm not that 
comfortable with DokuWiki and unknown integrations/mods, etc. so someone 
more familiar should do it. If there is anything I can help with - ask.

/ted

On 2/26/2025 3:59:44 PM, "Paul Spooren" <mail at aparcar.org> wrote:

>Hey Ted,
>
>Thanks for your work!
>
>I suggested some changes over at devel[1] that would remove the expensive ToH and package views. If you have no concerns I’d move forward and announce my next steps on the other list.
>
>Best,
>Paul
>
>[1]: https://lists.openwrt.org/pipermail/openwrt-devel/2025-February/043774.html
>
>
>
>>  On 21. Feb 2025, at 18:45, Ted Hess <thess at kitschensync.net> wrote:
>>
>>  Hi all -
>>
>>  Over the last month or so, I've been monitoring wiki web access and performance. Myself, and a couple others,  have a pretty good handle on site-scrapers, bots and LLM scavengers. We have instituted a number of rate-limiting, IP blocking and UA blocking rules. This action had greatly reduced the load on the wiki.
>>
>>  Recently, the site has been overloaded again with certain ToH queries which have long running times and were timing out. Failures were logging Nginx 499 (proxy or client timeout) errors for the PHP-FPM processes. Perhaps these queries were lost in the noise created by other bots. It was the sheer number of 499 errors that got my attention. Analyses on our logs showed >1,.5M timeouts/day on a single page with varying query strings. The accesses looked like legitimate browser queries from Windows platforms - I believe this to be totally bogus. Attempts at rate-limiting access to this page based on IP address was not very successful. It turns out that over 1M of these queries are from unique IP address within >8K subnets located around the world.
>>
>>  This is definitely an application level DDoS attack. As of today, I have blocked all access and turned off logging for queries to the ToH Performance page. Enjoy the new found responsiveness of the wiki ;)
>>
>>  /ted
>>
>>
>>  _______________________________________________
>>  openwrt-adm mailing list
>>openwrt-adm at lists.openwrt.org
>>https://lists.openwrt.org/mailman/listinfo/openwrt-adm
>

More information about the openwrt-adm mailing list