* * * * *
                                        
                        Oh, so they were used after all
                                        
So apparently the sites where in actual use [1], hence the query for which
site was under attack [2]. Also, it turned out that the traffic spike I saw
might not have been an actual SYN attack [3], but instead legitimate traffic.

It seems that the company that owns the sites have a domain that has nothing
but advertising banners for gambling sites (since that's what they do) for
which they bought advertising space on a bunch of porn sites (I'm sure on the
theory of “in for a penny, in for a pound” but in this case, “in for a vice,
in for a whole slew of vices”) and it caught our server unaware.

It's not like the server can't handle the load, but that Apache [4] wasn't
configured for such a spike in traffic. Now that I've tweaked the operating
system (Linux):

> sysctl -w net.ipv4.tcp_syncookies=1
> sysctl -w net.ipv4.tcp_max_syn_backlog=2048
> sysctl -w net.ipv4.tcp_syn_retries=2
> 

But also tweaked KeepAliveTimeout [5], MinSpareServers [6], MaxSpareServers
[7], StartServers [8] and MaxClients [9] in the Apache configuration (doubled
each except for KeepAliveTimeout which I decreased) the server is having no
problem keeping up with the traffice (I also copied the site to the second
server and round-robinning requests between the two).

[1] gopher://gopher.conman.org/0Phlog:2005/08/08.3
[2] gopher://gopher.conman.org/0Phlog:2005/08/10.1
[3] gopher://gopher.conman.org/0Phlog:2004/01/04.2
[4] http://httpd.apache.org/
[5] http://httpd.apache.org/docs/1.3/mod/core.html#keepalivetimeout
[6] http://httpd.apache.org/docs/1.3/mod/core.html#minspareservers
[7] http://httpd.apache.org/docs/1.3/mod/core.html#maxspareservers
[8] http://httpd.apache.org/docs/1.3/mod/core.html#startservers
[9] http://httpd.apache.org/docs/1.3/mod/core.html#maxclients

Email Sean Conner at sean@conman.org

.