-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sep 21 brief outage and heroku timeouts #1864
Comments
I did file an abuse report with OVH. |
Implementing rack-attack would require us configuring a |
@CHF-IT-Staff says that for this fiscal year (2022-2023) it is no problem to add $15-$20 a month for a redis or memcached heroku plugin for |
Very similar incident occurred over the weekend. Same IP address. |
I did file an abuse report with OVH, but don't seem to have heard back. ok maybe we'll get rack-attack going with a) a rate limit, and b) the ability to block-list certain IPs manually.
|
OK, rack-attack caught one! it's a new IP.
It is getting both tracked for exceeding 60 requests per minute, and throttled when it moves on to exceeding 120 requests per minute. We are getting more "track" logs lines then I wanted -- ah, but my attempt to limit the logging to once per period worked, but we still get a log line as much as once every minute, and this guy just keeps requesting (even after we throttle him). So we might need to tune the logging further if it gives us lots of noise. But for now we want to be aware of what's going on. What can we learn about 3.95.223.35?
|
What happened
Analysis
Did we have more traffic than usual? Was it bots?
It's hard to say, we don't really have easily available tools at present to graph our logs to let us see how much traffic there was at a given time; what proportion was bots; or compare that over time.
Ah, but heroku dashboard metrics do show bumps in: Response Time; Dyno Load; and Throughput during these times. So that may indicate, yes, a burst of traffic, probably? Seems consistent with theory that: Throughput went way up, resulting in an increase of dyno load and increase in error responses -- as there were not workers available to handle all requests and/or there was not enough CPU on the dyno for the available workers to do what they needed.
Memory usage stayed pretty flat throughout though.
screenshot of heroku dashboard metrics
What does traffic look like?
Again, we don't have tools to give us good descriptive statistics or characterization, so this is just me visually scanning through logs and giving anecdotal impression.
For the actual H12 requests -- it looks like they never made it to our app to log them, so we don't have user-agent/bot info logged, only the heroku router log with path requested only.
but looking during that rough time period at requests that did make it to app...
It looks like there's actually quite a lot of traffic from one IP address specifically:
ua=Chrome-87/Windows-10 ip=149.56.16.76
. It doesn't have a bot User-Agent, but it's a lot of traffic, like maybe 20 requests a second? For a while?There's also plenty of identifed bot traffic, like a few bot requsts a second. Is this more than usual though? Hard to say, it looks like it might be? Bots include PetalBot and SemrushBot, but also at least a sprinkling of Bing, Apple, etc.
What is 149.56.16.76 IP?
Not really sure, it seems to be in Canada, hosted by OVH Cloud, "which offers VPS, dedicated servers and other web services." So a rented server. Someone running some kind of experiment? It seems to be doing a crawl of our site (it's accessing all sorts of things), but not respecting robots.txt or advertising itself as a bot in the user-agent. #1008
It seems to have started accessing us last night at 23:38, and stopped last night at 00:58
(Although last night wasn't the first date we saw it, it's been here a few days ago too).
We could file an abuse report to OVH at https://www.ovh.com/abuse?
What are identified bots doing?
Actual identified bot traffic is also present, and they are scraping a bunch of things they probably don't have to.
Remediation?
We could (and maybe should) fine tune our robots.txt to keep even more out.
149.56.16.76
client, which does not seem to be respecting robots.txt.We could also experiment with auto-scaling via hirefire of our web dyno too.
149.56.16.76
thoughWe could add more puma workers, as we seem to have enough RAM for themWe could use rack-attack to rate-limit our clients at the app-level.
149.56.16.76
from DoS'ing us though, as each request would still GET to our app, before being quickly rejected by our app with an http 429.We could file an abuse report to OVH for
149.56.16.76
We could investigate fronting with CloudFlare, for their security/DoS-prevention features.
The text was updated successfully, but these errors were encountered: