blargg wrote:
Too bad there's no way to have something watch for excessive usage like this and simply shut down the entire site until a human can figure out what to block. Makes me angry hearing about it.
The part I'm still trying to figure out is how they managed to get that amount of network I/O out of us.
The nesdev site is rate-limited to ~50KBytes/sec (shared across all visitors -- yes, that's why the site seems slow sometimes), which means technically it shouldn't have exceeded 384kbit/sec. I'm thinking there's a bug in the bandwidth limiting module we use, and if that's the case, I have another I can try -- or I'll just end up sticking the site on it's own IP and use ALTQ in the network stack to do the rate-limiting.
Alternatives I've come up with, none of which are very user-friendly:
1) Use a module which limits the number of requests-per-second submit per IP address; if they exceed the limit, they're blocked for something like 5-10 minutes. The problem with that method is that it can sometimes go awry (and I've seen it happen on sites I've visited), especially if someone loads different pages of the site in multiple tabs or windows.
It also doesn't solve issues like what happened this morning, because the requests being made by the leechers still come in and hit the webserver, and it still has to spit back some brief HTML saying they've been blocked temporarily. This doesn't stop the requests.
2) Use a module which limits the total site bandwidth to X number of kilobytes per minute/hour/day/week/month. If this number is exceeded, the site essentially shuts down hard until the limit is reset (by me). You might've seen this on some web pages out there, where you get a brief HTML message saying "Bandwidth Exceeded".
The problem with this is that all it takes is some prick downloading the entire site (which happens regularly) with wget or some *zilla downloader, and then the site goes offline for everyone until I get around to noticing or someone contacts me to reset the limit.
There's really no decent solution to this problem, folks, at least not one that's ultimately user-friendly, while still being resource-friendly and won't financially screw me into oblivion.
P.S. --
http://jdc.parodius.com/lj/china_incident/dropped_packets_0329_0950.png shows that the leechers *still* have not shut off their leeching programs.
EDIT: I figured out how the leechers managed to get past the bandwidth limit. The bandwidth limiting module we were using was setting the total amount of bandwidth per user to 384kbit, not for the entire site. Thus, multiple simultaneously connections could indeed reach 2mbit. For those who are technical, the module I was using was mod_bw. The documentation for this module is badly written; once I went back and re-read the docs for the directive, I realised "Oh, so THAT'S what they mean... ugh."
I've addressed this by switching to mod_cband, which lets you set a maximum bandwidth limit for a site as a total, not per-client.
Also, looks like some of the leechers have finally noticed and stopped fetching data:
http://jdc.parodius.com/lj/china_incident/dropped_packets_0329_1054.png. Now all I'm left wondering is if they're just going to find other machines to do this from...