So I've had a bit of experience with the Slashdot Effect but I have something ongoing that is (basically) a sustained Slashdot Effect ... and geting worse! :-(

For years, I've had browser info and geolocation script on my web server. It was just a quick hack that I thought I'd share with others. So normally, this script gets about a thousand hits/day, but there was a ten-fold increase starting October 4th, 2005 and it continues to climb dramatically. A week later on October 11th, there were 74,886 hits - that is almost one/second. And a month later, there were 1,025,898 hits on November 14th - i.e. over ten/second - YIKES!

Looking at the Apache logs, all the "new surfers" are showing up without a Referer or User-Agent. The later is unusual because while it can be spoofed, it's not often done. My guess is that some virus (or program) is propogating out there in the "wild" and query'ing my web site for some piece of information as part of the program itself. So what the heck is this, who/where did it come from, what is the intent, and why is it using my CGI script?

Again, this is a rather unusual DDoS ... read more about it here (yes, I've tried some of the obvious remedies) ... but I'd be curious what thoughts other SM folks and staff have ... and could FloodGuard be used to target this specific traffic?

Summon the warrior force from within and commandeer a compromised workstation. Dig deep into the viscerals of the beast, locating the evils within. Exorcise them with various cheaply bought oils and tools of wicked design. Call forth the agents of AVG and Dr. Norton and bind them to your will. Stay ever vigilant!!!

Problem is that it is several thousand unique IP's ... plus I have mixed feelings about doing a "counter-strike" ... although yea, if doable, that would be one way to dissect what the source of this is ... although really would not turn it off except for that machine.

+5 funny (and informative) post on your part - well done!

Do you see a lot of repeated from the same IPs or is it more varied? You could try changing the location of the script or forcing a valid referrer.

One of the IPs comes from my town's Verizon DSL service.

Curious to know what it is, but I agree, the easiest way to fix is change the location of the script or ban blank user agent strings.

As noted in my writeup I'm basically 404'ing the request if it matches the signature (that URL and null User-Agent). However, that does NOT stop the inbound traffic - i.e. 1,000,000+ requests/day for a page that doesn't exist. Is there something at the host network stack or network hardware level that could be done?

It's kind of interesting to note that the number of hosts is decreasing, less than half of what it was at the peak, but the number of requests is going up dramatically. It's like some loosely distributed software or trojan that is slowly being removed, but received a remote request to suddenly ramp up.

I really don't know if anything else easily can be done beyond what you're doing.

Yea, I noticed that also - a good sign - peak requests from a single IP (61.142.209.157) was 36,580 (which could be blocked at the host network level by IP) but thankfully the number of IP's has decreased ... but I'm kinda curious (hopeful!) this might start petering out.

I have some better reporting setup now so I can more easily see the trend going forward.

Any comments from the SM Staff if they have seen this type of DDoS?