Markus pointed it out to me that my server showed some “Bad Gateway”; errors. I ssh’ed to it and interestingly, my server also behaved REALLY sluggishly.

Lookind at my access logs for marc-seeger.de, I can only assume sombody went crazy for my site:

[…]
87.78.224.179 – - [14/Jun/2009:23:32:26 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
87.78.224.179 – - [14/Jun/2009:23:32:26 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
87.78.224.179 – - [14/Jun/2009:23:32:28 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
87.78.224.179 – - [14/Jun/2009:23:32:30 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
87.78.224.179 – - [14/Jun/2009:23:32:33 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
87.78.224.179 – - [14/Jun/2009:23:32:34 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
87.78.224.179 – - [14/Jun/2009:23:32:35 +0200] ”GET / HTTP/1.1”; 200 13851 “-“; “JoeDog/1.00 [en] (X11; I; Siege 2.69)”;
[…]

The JoeDog / SIege User agent seems to be part of a sofware used for performance testing.
Seems to be a DOS attack :-/

Let’s look at the amount of data already used:

1
2
cat logs/marc_seeger_de.access.log | grep JoeDog | wc -l
2203

Now let’s look at the IP:

1
2
3
Host        xdsl-87-78-224-179.netcologne.de
Location         DE, Germany
City        Troisdorf, 07 -

I wrote an abuse mail and dediced to simply block the referer in nginx using:

1
2
3
        if ($http_user_agent * JoeDog) {
            return 403;
        }

This reminds me, I need to implement more caching. Maybe Rack:Cache

Comments