When an Apparent DDOS Attack is a Good Thing
Two years ago, Both.org was redesigned to be a place where those of us who wrote for Opensource.com (OSDC) would have a new place to gather and write. We started slowly and have been growing steadily to about 2K visitors and 3K page views per day.
The Problem
But yesterday — as I write this — we had a huge bump in traffic, to 9,624 visitors and 19,256 page views. Most were from a single geopolitical region. This traffic seems to be continuing today.
At first this seemed to be a DDOS attack, but the WPStatistics module we use tells me it’s something different. Most of this traffic seems to be coming from a wide range of locations and visitors within that geopolitical region. Each visitor seems to view a few pages and then exit. This just seems like a data scraping mission with some IP source address spoofing to hide its true origin.
The Unintended Benefit
This was a great test of the ability of Both.org to sustain high levels of traffic.
Both.org has been experiencing from 30 to 125 concurrent users for more than 24 hours. This has been a great load test for us and our infrastructure.
Some of you already know that Both.org is run on one server out of my home, along with a firewall/router. Both are Linux boxes with very similar, modest build specifications. The specs for our server are shown in Figure 1, and those for the firewall are nearly the same.
#######################################################################
# MOTD for Sat Dec 20 03:30:54 AM EST 2025
# HOST NAME: yorktown.both.org
# Machine Type: physical machine.
# Host architecture: X86_64
#----------------------------------------------------------------------
# System Serial No.: Default string
# System UUID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# Motherboard Mfr: Gigabyte Technology Co., Ltd.
# Motherboard Model: Z370 HD3-CF
# Motherboard Serial: Default string
# BIOS Release Date: 03/01/2018
#----------------------------------------------------------------------
# CPU Model: Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
# CPU Data: 1 Six Core package with 12 CPUs
# CPU Architecture: x86_64
# HyperThreading: Yes
# Max CPU MHz: 4600.0000
# Current CPU MHz: 4300.200
# Min CPU MHz: 800.0000
#----------------------------------------------------------------------
# RAM: 31.212 GB
# SWAP: 7.999 GB
#----------------------------------------------------------------------
# Install Date: Tue 28 Oct 2025 08:59:47 PM EDT
# Linux Distribution: Fedora 43 (Forty Three) X86_64
# Kernel Version: 6.17.12-300.fc43.x86_64
#----------------------------------------------------------------------
# Disk Partition Info
# Filesystem Size Used Avail Use% Mounted on
# /dev/mapper/vg01-root 9.8G 308M 9.1G 4% /
# /dev/mapper/vg01-usr 25G 16G 7.8G 67% /usr
# /dev/sda1 2.0G 483M 1.4G 27% /boot
# /dev/mapper/vg01-var 73G 51G 20G 73% /var
# /dev/mapper/vg01-tmp 20G 148K 19G 1% /tmp
# /dev/mapper/vg01-home 20G 6.8G 12G 37% /home
#----------------------------------------------------------------------
# LVM Physical Volume Info
# PV VG Fmt Attr PSize PFree
# /dev/sda2 vg01 lvm2 a-- 72.00g 2.00g
# /dev/sda3 vg01 lvm2 a-- <224.08g 145.08g
#######################################################################Figure 1: The specs for the hardware that runs Both.org are quite modest.
Both.org runs on a server I built in 2018. It has a GigaByte Z370 motherboard, an Intel I7-8700 with 6-cores and 12 CPUs at 3.6GHz overclocked to 4.2 GHz, and 32GB of RAM. This server runs on Fedora, and also runs one other website; along with my DNS, DHCP, Sendmail, IMAP, and NTP services. We use a local WordPress instance and MariaDB for the website itself.
I also like to use System Activity Reporter (SAR) which generates a snapshot of system usage for many aspects of the running system in 10 minute increments. Figure 2 shows the time from 12:50 through 15:20 yesterday when we had over 100 simultaneous visitors on the server. Idle time is in the mid- to high-90s, as it was for the entire day.
12:50:00 PM CPU %usr %nice %sys %iowait %steal %irq %soft %guest %gnice %idle
01:00:00 PM all 1.65 0.96 0.55 0.58 0.00 0.13 0.11 0.00 0.00 96.04
01:00:00 PM 0 1.80 0.38 1.20 0.18 0.00 0.89 0.21 0.00 0.00 95.34
01:00:00 PM 1 1.10 0.84 0.54 0.44 0.00 0.06 0.17 0.00 0.00 96.86
01:00:00 PM 2 1.11 0.04 0.38 0.48 0.00 0.05 0.04 0.00 0.00 97.90
01:00:00 PM 3 1.97 0.10 0.37 0.49 0.00 0.04 0.02 0.00 0.00 97.01
01:00:00 PM 4 1.65 0.99 0.33 0.70 0.00 0.05 0.02 0.00 0.00 96.28
01:00:00 PM 5 2.36 2.31 0.35 0.56 0.00 0.05 0.01 0.00 0.00 94.37
01:00:00 PM 6 1.75 1.60 0.50 0.62 0.00 0.06 0.01 0.00 0.00 95.46
01:00:00 PM 7 2.00 2.60 1.16 1.47 0.00 0.06 0.05 0.00 0.00 92.65
01:00:00 PM 8 1.67 0.25 0.45 0.54 0.00 0.04 0.01 0.00 0.00 97.04
01:00:00 PM 9 1.30 0.95 0.31 0.68 0.00 0.05 0.01 0.00 0.00 96.71
01:00:00 PM 10 2.05 0.20 0.70 0.43 0.00 0.04 0.01 0.00 0.00 96.56
01:00:00 PM 11 1.02 1.21 0.29 0.33 0.00 0.14 0.73 0.00 0.00 96.29
01:10:00 PM all 1.53 0.79 0.54 0.54 0.00 0.12 0.10 0.00 0.00 96.38
01:10:00 PM 0 1.66 0.71 1.48 0.22 0.00 0.87 0.21 0.00 0.00 94.86
01:10:00 PM 1 0.93 1.13 0.53 0.40 0.00 0.07 0.17 0.00 0.00 96.78
01:10:00 PM 2 1.17 1.80 0.35 0.27 0.00 0.05 0.04 0.00 0.00 96.33
01:10:00 PM 3 1.29 0.28 0.26 0.39 0.00 0.04 0.01 0.00 0.00 97.73
01:10:00 PM 4 1.26 0.15 0.47 0.41 0.00 0.04 0.01 0.00 0.00 97.66
01:10:00 PM 5 1.51 0.02 0.44 0.52 0.00 0.06 0.02 0.00 0.00 97.44
01:10:00 PM 6 2.17 2.75 0.63 0.20 0.00 0.04 0.01 0.00 0.00 94.19
01:10:00 PM 7 2.11 0.00 0.79 1.70 0.00 0.05 0.04 0.00 0.00 95.32
01:10:00 PM 8 1.73 0.91 0.40 0.71 0.00 0.05 0.01 0.00 0.00 96.18
01:10:00 PM 9 1.07 0.04 0.29 0.68 0.00 0.06 0.02 0.00 0.00 97.85
01:10:00 PM 10 1.91 0.87 0.44 0.49 0.00 0.04 0.01 0.00 0.00 96.24
01:10:00 PM 11 1.58 0.84 0.39 0.51 0.00 0.11 0.60 0.00 0.00 95.97
01:20:00 PM all 1.38 0.77 0.51 0.57 0.00 0.12 0.09 0.00 0.00 96.55Figure 2: The SAR results for the time from 12:50 through 15:20 yesterday when we had over 100 simultaneous visitors. You may want to reduce the size of the image in your browser (Ctl- –) to align the columns for a better view.
Other measured stats such as page swaps, disk usage, and load averages tell the same story. Figure 3 shows the load averages during that same time period.
12:00:00 AM runq-sz plist-sz ldavg-1 ldavg-5 ldavg-15 blocked
<SNIP>
12:50:00 PM 0 895 0.58 0.46 0.39 0
01:00:00 PM 0 949 1.12 0.58 0.43 0
01:10:00 PM 1 958 0.50 0.48 0.45 0
01:20:00 PM 1 951 0.21 0.31 0.36 1Figure 3: The load averages during that same time period.
Figure 4 shows the network interface statistics for that same time period.
12:00:00 AM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s %ifutil
<SNIP>
12:50:00 PM lo 2.31 2.31 0.25 0.25 0.00 0.00 0.00 0.00
12:50:00 PM enp0s31f6 169.72 321.61 17.45 434.29 0.00 0.00 0.00 0.36
01:00:00 PM lo 2.41 2.41 0.26 0.26 0.00 0.00 0.00 0.00
01:00:00 PM enp0s31f6 292.03 557.58 28.40 771.93 0.00 0.00 0.00 0.63
01:10:00 PM lo 2.38 2.38 0.27 0.27 0.00 0.00 0.00 0.00
01:10:00 PM enp0s31f6 202.36 368.93 20.18 501.84 0.00 0.00 0.00 0.41
01:20:00 PM lo 2.19 2.19 0.24 0.24 0.00 0.00 0.00 0.00
01:20:00 PM enp0s31f6 153.20 286.38 15.42 383.70 0.00 0.00 0.00 0.31
Average: lo 1.33 1.33 0.46 0.46 0.00 0.00 0.00 0.00
Average: enp0s31f6 157.50 296.79 19.95 393.59 0.00 0.00 0.00 0.32Figure 4: Network statistics show high rates of data transmissions.
These numbers were typical for most of the day. The overall average for the day was 393.59 kB/s * 60 sec/Min * 60Min/Hr * 24 = 34.006,176 GB of data transmitted for the entire day. A typical day for Both.org is about 5.0 GB total data transmitted.
My Thoughts
This is really amazing performance for a pair of 7 year old systems that had decent but middle of the road specs when they were built. I think this perfectly illustrates the capabilities of current releases of Linux in general and Fedora in particular on older hardware that many would throw away just because M$ demands it.
It also shows increased interest in Both.org. And that’s a good thing.
More Stories
Mozilla Firefox AI Slop
I've been using Mozilla Firefox since its original release 21 years ago. Firefox started as an excellent open source browser...
Reviving a Windows Laptop with Linux Tools and ClamAV
Recently, I was helping a Windows-using friend transition from her ten-year-old Windows 10 laptop to a new Windows 11 laptop....
Converting to BtrFS — Episode 4
In the 3rd episode of this series, I used the btrfs-convert command to convert the EXT4 filesystem on an LVM...
Advanced stress testing for DevOps
I recently discovered stress-ng which, while similar to the original stress program, offers far more flexibility and granularity in testing.
System76 and the New COSMIC Desktop
System76 is celebrating 20 years, and they did so by officially releasing Pop!_OS 24.04 LTS and the COSMIC desktop. I got an...
Everything you never wanted to know about the /etc/fstab File
Mounting of filesystems during the startup process is managed by the /etc/fstab configuration file.