en/stuff/choke.txt
2005-02-13
I hate referer spammers
(For those of you who are into English spelling and don't know enough of HTTP to know better: referer is nowadays an intentional misspelling. Read the HTTP specs if you want to know the whys of it.)
Referer spamming is one of the stupidest things I've run across of. The concept is that the spammer requests blog pages repeatedly with different referer URLs, supposedly with the intent that the URLs would be visible from a "sites that link to me" box. So far, it actually makes sense, in the crappy way spamming makes sense in general. However, my blog does not publish referer URLs and has, with one brief exception, never done so (I tried it for a few days a long time ago but stopped when I first experienced referer spam). Now, the spammer gets nothing from spamming my blog. Except, perhaps, my wrath.
In itself, referer spamming is harmless. I have never used my logs for intelligence gathering (I suspect it would be illegal in Finland, anyway), so the fact that referer spam messes up referer statistics has never bothered me. However...
In the last week, my server has mysteriously died several times, apparently due to being out of memory. I heard rumors of stupid referer spammers overloading servers, but I could not ascertain whether this was the case. Until today, that is, when my father phoned me (and woke me:) to inform me that the server is down again. I got lucky this time, because I was there when the attack was in progress and I still had (barely!) control over the server, it hadn't yet OOM'd ssh. I suppose my earlier addition of vm.overcommit_memory = 2 to sysctl.conf was partly to blame for this fortunate accident. I could verify that I had a load of over 150 and a lot of blosxom processes. In other words, the spammers were so enthusiastic that they choked my server in the process. Smart, isn't it?
I immediately killed the blosxom processes and apache. I then tuned apache down by lowering the maximum number of simultaneous connections. When I restarted apache, the spammers started again, but the load was merely in the 70's and my server stood, panting but alive. I added iptables bans for the offending IP blocks (yes, I blocked whole networks), as a temporary solution. After nearly six hours of work, I found mod_choke and configured it, and lifted the bans.
You know why I hate the spammers? They don't have the sense to help me configure my server - I haven't seen a trace of them since I added mod_choke (and that's not mod_choke's doing). Now I have to wait for an attack to see if it works or not. And with luck, I won't be there when it happens and can only guess after the fact.
Damn them.
18:22 - /en/stuff - 2 comments
