There are currently 10612 users browsing this forum. (323 members & 10289 guests)

O

oldsaltoz

Well-Known Member
Joined
4 Jul 2001
Messages
6,005
Location
Australia, East coast.
Visit site
There are currently 10612 users browsing this forum. (323 members & 10289 guests).

It seems we have a lot more peeps that contributors.

Come on you lot, get involved by signing up, it's free and your knowledge could really help others.

Good luck and fair winds. :)
 
I generally browse without signing in so I will be a guest most of the time unless I want to contribute, then I'll sign in and sign out again when I've posted my comment.

Signing out now...
 
I'm handicapped in that I haven't really looked at the counter before, so I don't know the "norm"... but if it's abnormal then given the current poor performance and a few assumptions about the infrastructure then I'm guessing one of the following things is happening (in roughly this order of likelihood):

1: The broken login fix wasn't as successful as hoped, and users are somehow ending up with multiple sessions recorded on the servers, artificially inflating the counter. The fix has somehow upset the servers. Could potentially be caused by broken cache/ load balancer behaviour.

2: The counter is actually correct - might make sense as the backend system seems to be intermittently struggling for any interactive (i.e. uncached) requests. Something is driving excess traffic. YBW's Referrer logs should show what.

3: Rapid requests from someone attempting to do password cracking and steal accounts. Perhaps hoping to use the accounts for SPAM somehow. This kind of thing seems to have got a lot more common lately as the more traditional targets have got more difficult.

4: Some kind of Denial of Service (DoS) attack - again might make sense as the backend system seems to be intermittently struggling for any interactive (i.e. uncached) requests. Still unlikely.
 
Last edited:
If the numbers quoted are accurate, could that be a reason for the server performing like a constipated tortoise?
and don't start me on the new forum platform...
 
the numbers will be users that have connected and created a 'session' during a defined period. I'd suspect that the period is an hour or more to get those kinds of figures.

Its pretty standard stuff.

Its not DDOS, or excessive traffic... just very long session timeouts. 30k sessions isn't particularly excessive... if it was DDOS it would hit hundreds of thousands very quickly and the server would become unavailable, probably all in the space of a few minutes.
 
Phoenix of Hamble said:
the numbers will be users that have connected and created a 'session' during a defined period. I'd suspect that the period is an hour or more to get those kinds of figures.

Its pretty standard stuff.

Its not DDOS, or excessive traffic... just very long session timeouts. 30k sessions isn't particularly excessive... if it was DDOS it would hit hundreds of thousands very quickly and the server would become unavailable, probably all in the space of a few minutes.
Click to expand...

I did say DoS rather than DDoS - not the same thing, and not necessarily about lots of requests. And I did qualify that I only suggest this because of the coincidence of simultaneous high numbers and poor performance.

The reason for thinking excess traffic (as in more than is usual for the site) rather than just long session timeouts or a cache bug causing multiple sessions to be spawned alone is that, intermittently at least, the site isn't very performant tonight, and others seem to think the counter is higher than usual (though I don't know what usual is!). On top of which I've had the occasional 503...

I wonder if I should add a picture of a boat or something to this post and bring the thread on-topic :)
 
Last edited:
jamesjeffrey said:
I did say DoS rather than DDoS - not the same thing, and not necessarily about lots of requests.

The reason for thinking excess traffic rather than just long session timeouts or a cache bug causing multiple sessions to be spawned alone is that, intermittently at least, the site isn't very performant tonight. On top of which I've had the occasional 503...
Click to expand...
occasional 503s, and slow performance isn't new for YBW! suspect they've not got a very active db performance monitoring environment, as often outages are proceeded by db errors.

I still maintain, whether we are talking DoS or DDoS, the session numbers are high, but not enough to suspect any kind of denial based activity... its possible that someone has found intentionally or otherwise, a bug that is kicking off tons of child server processes, but suspect that we'd have seen outage by now if that were the case.

We don't really, IMHO, have enough info to be clear in reality, but my money will be on rubbish db optimisation, perhaps excessively large log files on ever reducing allocation or similar causing dog poor performance... or a rotten leak on one of the scripts running the forum slowly killing the app server(s)... but as you'll know if you're an IT bod, problems can spring from the most exotic of places!!! :D
 
We don't really, IMHO, have enough info to be clear in reality,
Click to expand...

Totally true, in any case... the high session count element of the question has been solved by geoid96's link.
 
Last edited:
jamesjeffrey said:
2: The counter is actually correct - might make sense as the backend system seems to be intermittently struggling for any interactive (i.e. uncached) requests. Something is driving excess traffic. YBW's Referrer logs should show what.

3: Rapid requests from someone attempting to do password cracking and steal accounts. Perhaps hoping to use the accounts for SPAM somehow. This kind of thing seems to have got a lot more common lately as the more traditional targets have got more difficult.
Click to expand...
Yes, I think you've got it.

Over the last three months I've seen a massive increase in visits to my site, rising from about 200 a day to nearly 10,000 a day. Nearly all the extra traffic is very short duration, with about half being login attempts using random user names, and most of the rest being attempts to open user accounts which are being shut out by Captcha codes. China and Russia are big sources of this traffic. Checking IP addresses against blacklists shows "forum spam sources".

So I'd guess there's a big white list out there (run by bad guys in black hats) which lists sites which have user generated content. And once you're on that list, you get bombed by every Tom , Kim or Tanya who's trying to sell fastpaydayloans or raise their search ranking by squeezing their URLs onto other sites. A recent report noted that about 46% internet traffic comprised various forms of spam or malware distribution.

It's a war out there. Luckily, there are good guys creating black lists (wearing white hats of course), so the known offenders can be blocked. But it takes time to track 'em down. I'm back to a more sensible 1,000 a day now, probably 80% break-in attempts. What a pain - and a cost in time.
 
You must log in or register to reply here.

Share this page

Top