{"id":13012,"date":"2025-12-20T13:37:03","date_gmt":"2025-12-20T18:37:03","guid":{"rendered":"https:\/\/www.both.org\/?p=13012"},"modified":"2025-12-20T13:37:03","modified_gmt":"2025-12-20T18:37:03","slug":"when-an-apparent-ddos-attack-is-a-good-thing","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=13012","title":{"rendered":"When an Apparent DDOS Attack is a Good Thing"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

Two years ago, Both.org was redesigned to be a place where those of us who wrote for Opensource.com (OSDC) would have a new place<\/a> to gather and write. We started slowly and have been growing steadily to about 2K visitors and 3K page views per day. <\/p>\n\n\n\n

The Problem<\/h2>\n\n\n\n

But yesterday — as I write this — we had a huge bump in traffic, to 9,624 visitors and 19,256 page views. Most were from a single geopolitical region. This traffic seems to be continuing today. <\/p>\n\n\n\n

At first this seemed to be a DDOS attack, but the WPStatistics module we use tells me it’s something different. Most of this traffic seems to be coming from a wide range of locations and visitors within that geopolitical region. Each visitor seems to view a few pages and then exit. This just seems like a data scraping mission with some IP source address spoofing to hide its true origin.<\/p>\n\n\n\n

The Unintended Benefit<\/h2>\n\n\n\n

This was a great test of the ability of Both.org to sustain high levels of traffic. <\/p>\n\n\n\n

Both.org has been experiencing from 30 to 125 concurrent users for more than 24 hours. This has been a great load test for us and our infrastructure. <\/p>\n\n\n\n

Some of you already know that Both.org is run on one server out of my home, along with a firewall\/router. Both are Linux boxes with very similar, modest build specifications. The specs for our server are shown in Figure 1, and those for the firewall are nearly the same.<\/p>\n\n\n\n

#######################################################################\n# MOTD for Sat Dec 20 03:30:54 AM EST 2025\n# HOST NAME:            yorktown.both.org\n# Machine Type:         physical machine.\n# Host architecture:    X86_64\n#----------------------------------------------------------------------\n# System Serial No.:    Default string\n# System UUID:          XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n# Motherboard Mfr:      Gigabyte Technology Co., Ltd.\n# Motherboard Model:    Z370 HD3-CF\n# Motherboard Serial:   Default string\n# BIOS Release Date:    03\/01\/2018\n#----------------------------------------------------------------------\n# CPU Model:            Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz\n# CPU Data:             1 Six Core package with 12 CPUs\n# CPU Architecture:     x86_64\n# HyperThreading:       Yes\n# Max CPU MHz:          4600.0000\n# Current CPU MHz:      4300.200\n# Min CPU MHz:          800.0000\n#----------------------------------------------------------------------\n# RAM:                  31.212 GB\n# SWAP:                 7.999 GB\n#----------------------------------------------------------------------\n# Install Date:         Tue 28 Oct 2025 08:59:47 PM EDT\n# Linux Distribution:   Fedora 43 (Forty Three) X86_64\n# Kernel Version:       6.17.12-300.fc43.x86_64\n#----------------------------------------------------------------------\n# Disk Partition Info\n# Filesystem             Size  Used Avail Use% Mounted on\n# \/dev\/mapper\/vg01-root  9.8G  308M  9.1G   4% \/\n# \/dev\/mapper\/vg01-usr    25G   16G  7.8G  67% \/usr\n# \/dev\/sda1              2.0G  483M  1.4G  27% \/boot\n# \/dev\/mapper\/vg01-var    73G   51G   20G  73% \/var\n# \/dev\/mapper\/vg01-tmp    20G  148K   19G   1% \/tmp\n# \/dev\/mapper\/vg01-home   20G  6.8G   12G  37% \/home\n#----------------------------------------------------------------------\n# LVM Physical Volume Info\n# PV            VG              Fmt     Attr    PSize   PFree\n# \/dev\/sda2     vg01    lvm2    a--     72.00g  2.00g\n# \/dev\/sda3     vg01    lvm2    a--     <224.08g        145.08g\n#######################################################################<\/code><\/pre>\n\n\n\n
Figure 1: The specs for the hardware that runs Both.org are quite modest.<\/p>\n\n\n\n
Both.org runs on a server I built in 2018. It has a GigaByte Z370 motherboard, an Intel I7-8700 with 6-cores and 12 CPUs at 3.6GHz overclocked to 4.2 GHz, and 32GB of RAM. This server runs on Fedora, and also runs one other website; along with my DNS, DHCP, Sendmail, IMAP, and NTP services. We use a local WordPress instance and MariaDB for the website itself. <\/p>\n\n\n\n
I also like to use System Activity Reporter (SAR) which generates a snapshot of system usage for many aspects of the running system in 10 minute increments. Figure 2 shows the time from 12:50 through 15:20 yesterday when we had over 100 simultaneous visitors on the server. Idle time is in the mid- to high-90s, as it was for the entire day. <\/p>\n\n\n\n
12:50:00 PM     CPU      %usr     %nice      %sys   %iowait    %steal      %irq     %soft    %guest    %gnice     %idle\n01:00:00 PM     all      1.65      0.96      0.55      0.58      0.00      0.13      0.11      0.00      0.00     96.04\n01:00:00 PM       0      1.80      0.38      1.20      0.18      0.00      0.89      0.21      0.00      0.00     95.34\n01:00:00 PM       1      1.10      0.84      0.54      0.44      0.00      0.06      0.17      0.00      0.00     96.86\n01:00:00 PM       2      1.11      0.04      0.38      0.48      0.00      0.05      0.04      0.00      0.00     97.90\n01:00:00 PM       3      1.97      0.10      0.37      0.49      0.00      0.04      0.02      0.00      0.00     97.01\n01:00:00 PM       4      1.65      0.99      0.33      0.70      0.00      0.05      0.02      0.00      0.00     96.28\n01:00:00 PM       5      2.36      2.31      0.35      0.56      0.00      0.05      0.01      0.00      0.00     94.37\n01:00:00 PM       6      1.75      1.60      0.50      0.62      0.00      0.06      0.01      0.00      0.00     95.46\n01:00:00 PM       7      2.00      2.60      1.16      1.47      0.00      0.06      0.05      0.00      0.00     92.65\n01:00:00 PM       8      1.67      0.25      0.45      0.54      0.00      0.04      0.01      0.00      0.00     97.04\n01:00:00 PM       9      1.30      0.95      0.31      0.68      0.00      0.05      0.01      0.00      0.00     96.71\n01:00:00 PM      10      2.05      0.20      0.70      0.43      0.00      0.04      0.01      0.00      0.00     96.56\n01:00:00 PM      11      1.02      1.21      0.29      0.33      0.00      0.14      0.73      0.00      0.00     96.29\n01:10:00 PM     all      1.53      0.79      0.54      0.54      0.00      0.12      0.10      0.00      0.00     96.38\n01:10:00 PM       0      1.66      0.71      1.48      0.22      0.00      0.87      0.21      0.00      0.00     94.86\n01:10:00 PM       1      0.93      1.13      0.53      0.40      0.00      0.07      0.17      0.00      0.00     96.78\n01:10:00 PM       2      1.17      1.80      0.35      0.27      0.00      0.05      0.04      0.00      0.00     96.33\n01:10:00 PM       3      1.29      0.28      0.26      0.39      0.00      0.04      0.01      0.00      0.00     97.73\n01:10:00 PM       4      1.26      0.15      0.47      0.41      0.00      0.04      0.01      0.00      0.00     97.66\n01:10:00 PM       5      1.51      0.02      0.44      0.52      0.00      0.06      0.02      0.00      0.00     97.44\n01:10:00 PM       6      2.17      2.75      0.63      0.20      0.00      0.04      0.01      0.00      0.00     94.19\n01:10:00 PM       7      2.11      0.00      0.79      1.70      0.00      0.05      0.04      0.00      0.00     95.32\n01:10:00 PM       8      1.73      0.91      0.40      0.71      0.00      0.05      0.01      0.00      0.00     96.18\n01:10:00 PM       9      1.07      0.04      0.29      0.68      0.00      0.06      0.02      0.00      0.00     97.85\n01:10:00 PM      10      1.91      0.87      0.44      0.49      0.00      0.04      0.01      0.00      0.00     96.24\n01:10:00 PM      11      1.58      0.84      0.39      0.51      0.00      0.11      0.60      0.00      0.00     95.97\n01:20:00 PM     all      1.38      0.77      0.51      0.57      0.00      0.12      0.09      0.00      0.00     96.55<\/code><\/pre>\n\n\n\n
Figure 2: The SAR results for the time from 12:50 through 15:20 yesterday when we had over 100 simultaneous visitors. You may want to reduce the size of the image in your browser (Ctl- –<\/strong>) to align the columns for a better view.<\/p>\n\n\n\n
Other measured stats such as page swaps, disk usage, and load averages tell the same story. Figure 3 shows the load averages during that same time period.<\/p>\n\n\n\n
12:00:00 AM   runq-sz  plist-sz   ldavg-1   ldavg-5  ldavg-15   blocked\n<SNIP>\n12:50:00 PM         0       895      0.58      0.46      0.39         0\n01:00:00 PM         0       949      1.12      0.58      0.43         0\n01:10:00 PM         1       958      0.50      0.48      0.45         0\n01:20:00 PM         1       951      0.21      0.31      0.36         1<\/code><\/pre>\n\n\n\n
Figure 3: The load averages during that same time period. <\/p>\n\n\n\n
Figure 4 shows the network interface statistics for that same time period.<\/p>\n\n\n\n
12:00:00 AM     IFACE   rxpck\/s   txpck\/s    rxkB\/s    txkB\/s   rxcmp\/s   txcmp\/s  rxmcst\/s   %ifutil\n<SNIP>\n12:50:00 PM        lo      2.31      2.31      0.25      0.25      0.00      0.00      0.00      0.00\n12:50:00 PM enp0s31f6    169.72    321.61     17.45    434.29      0.00      0.00      0.00      0.36\n01:00:00 PM        lo      2.41      2.41      0.26      0.26      0.00      0.00      0.00      0.00\n01:00:00 PM enp0s31f6    292.03    557.58     28.40    771.93      0.00      0.00      0.00      0.63\n01:10:00 PM        lo      2.38      2.38      0.27      0.27      0.00      0.00      0.00      0.00\n01:10:00 PM enp0s31f6    202.36    368.93     20.18    501.84      0.00      0.00      0.00      0.41\n01:20:00 PM        lo      2.19      2.19      0.24      0.24      0.00      0.00      0.00      0.00\n01:20:00 PM enp0s31f6    153.20    286.38     15.42    383.70      0.00      0.00      0.00      0.31\nAverage:           lo      1.33      1.33      0.46      0.46      0.00      0.00      0.00      0.00\nAverage:    enp0s31f6    157.50    296.79     19.95    393.59      0.00      0.00      0.00      0.32<\/code><\/pre>\n\n\n\n
Figure 4: Network statistics show high rates of data transmissions.<\/strong><\/p>\n\n\n\n
These numbers were typical for most of the day.  The overall average for the day was 393.59 kB\/s * 60 sec\/Min * 60Min\/Hr * 24 = 34.006,176 GB of data transmitted for the entire day. A typical day for Both.org is about 5.0 GB total data transmitted. <\/p>\n\n\n\n
My Thoughts<\/h2>\n\n\n\n
This is really amazing performance for a pair of 7 year old systems that had decent but middle of the road specs when they were built. I think this perfectly illustrates the capabilities of current releases of Linux in general and Fedora in particular on older hardware that many would throw away just because M$ demands it. <\/p>\n\n\n\n
It also shows increased interest in Both.org. And that’s a good thing.<\/p>\n","protected":false},"excerpt":{"rendered":"
Both.org is 2 years old and has been growing steadily. But we’re now seeing some interesting growth phenomena. <\/p>\n","protected":false},"author":2,"featured_media":4837,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[5,891,89],"tags":[97],"class_list":["post-13012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-stress-testing","category-system-administration","tag-sysadmin"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/13012","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13012"}],"version-history":[{"count":11,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/13012\/revisions"}],"predecessor-version":[{"id":13023,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/13012\/revisions\/13023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/4837"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}