What's up with HN?
I'll provide more details in a full writeup later.
We suffered a DDOS. The volume of traffic was sufficient to keep us from handling it in Arc like we always have before. Simply accepting and dropping all requests not from our office required 45% CPU utilization.
Now nginx is helping with some of the work. Ironically the transition was planned for today anyway, except it was meant to happen at night with no downtime. So it goes.
I'm fixing things as I find they're broken. Please let me know if I've missed anything.
Edit: Yes, I know about and will fix all the SSL resources. Like yours, my Chrome window was also a portal to the '90s for a bit.
Edit Again: Your SSL resources should now be happy. Let me know if I missed any.
127 comments
[ 2.6 ms ] story [ 113 ms ] threadGeesh.
The keyboard is a very interesting idea. There's a free version too.
http://itunes.apple.com/us/app/reddit-notifier/id468366517?m...
Would put a smile on my face too but... I decided to make part of the computation on the server-side so that my desktop software cannot be cracked without rewriting what the server-side does. My desktop app only makes sense when the Internet connection is up and doesn't "phone home" too often.
If users don't like that they can GTFO.
If pirates don't like that it puts a smile on my face ; )
"Hey, this is on Maxis. EA does not force design upon us. We own it, we are working 24/7 to fix it, and we are making progress"
But well, I may be wrong, and Maxis is simply no longer the company that it used to be.
HN has a big table of closures representing actions a user can take. Loading certain pages, such as the reply link on a comment creates more of them. They time out after a while, which will get you "unknown or expired link". Intentionally creating a few million of them ought to fill up the server's memory and would be a more effective way to to impair the server's functionality than simply requesting the home page a few billion times.
Which is to say the blog post about it probably wouldn't be worth reading :)
Assuming the happy path is the road to ruin, even for spammers.
Sorry, I don't mean to be a pedantic jackass, but still I said it.
Now, please stop being a PJ (pedantic jackass). Thanks.
I imagine you're referring to situational irony, but there are a few more literary ways to use it. Ignoring that, it really isn't hard to see how it is ironic that they planned to do today anyways, but instead of everything going smoothly, there was a severe unseen outage that they weren't prepared for.
Is it all down to that one episode of Futurama?
It used to be fine up to today.[2]
[1] - http://img1.imagilive.com/0313/hn-cert-130311.png
[2] - Just FYI, for me, news.ycombinator.com resolves to: 184.172.10.74
So long story short: Firefox demands a chain file for some certificate issues while other browsers just trust the certificate.
Me: "Your site at https://blah.otherdept.myemployer.edu/ is causing visitors to see SSL errors because your web server isn't sending the certificate chain. It probably got messed up when an updated certificate was installed the other day."
Other sysadmin: "It works fine for me. Try clearing your browser's cache."
Me: "No, really, it's not that. Here's the openssl s_client output showing that your server is only sending its own certificate and not any intermediate certificates."
Other sysadmin: "I just tried from another computer in the office, and the site's working fine. You should call the university's helpdesk since the problem is obviously on your end."
Me: profanity
Thanks, now my screen is full of coffee^^
/half-s
http://www.ietf.org/rfc/rfc3514.txt
A site could, because of its own deficiencies in handling normal traffic, call any outage a "DDOS attack". Not saying this is the case with HN, but see what I mean.
Could you at least specify, is this a massive scrape, which would indicate an attempt to pirate or steal information, or a SYN flood type attack (not a ton of GETs) which would indicate an attempt to not steal information but disable the site.
I believe some more insight into what is happening with all these major site attacks will help us to protect our own sites better. Thx,
As much as it sucks, the rule of thumb is that you need every advantage you can get when it comes to being attacked. You gain little by talking about these kinds of things publicly and stand to lose much (by giving away how you're mitigating the problem, for example, possibly leading the attackers to adjust their attack). It's just generally safer not to.
If you are someone who runs a web site, once you hit a certain size where you have to worry about DDoS attacks you will certainly have the kind of industry connections where you can talk about the issue privately and get help and/or help someone. Below a certain size you just don't generally have to worry about it -- and if you do get attacked, the response will mostly be done by your provider as there's not usually a lot you can do if you're just a few servers.
I'm just saying it's not good to post these postmortems publicly. "We got hit by X. We did Y." Now when Q comes along to attack you, they know what not to do and also know how you mitigated X so they can more efficiently attack you. The EV from posting attack postmortems is just not there.
Nah. Well, at least people shouldn't feel that way; publishing your solutions helps us all.
I just don't think that someone sitting on gigabits and gigabits of zombie throughput needs any help figuring how to hose you down.
Additionally, there are different trade-offs for DDOS vs source code. Source code you leave behind obscurity, in order to get a well-tested and well-vetted implementation. In DDOS, you're using ops, not code. All your responses are custom-crafted anyways, so there is no well-tested implementation for you to gain. The benefits of transparency are much smaller, and the benefit is the same.
Any other malicious parties might find it useful.
- Slowloris or HTTP spam attacks on dynamically generated webpages
- Reflected DNS attacks to fill up your bandwidth.
Yes, I live in NYC.
Glad that's over with
Sure a server does crash once in a while but it's not because they purposefuly did overload it.
The DDoS attempt trafic is dispatched left and right just like regular trafic and doesn't affect the normal behavior.
It's more like the single truck can hit any of the 1000000 flying bycicles.
: )
Consider the fact that each of those companies has many services, which can vary widely in usage and capacity.
* http://stackoverflow.com/a/14599129/178651
* http://stackoverflow.com/a/1029613/1395668
I guess I'll have to figure out how hack some Chrome extensions that haven't been updated for 3 years since the creators seem to have hard-coded the HTTP URLs.
E.g. this loads: https://news.ycombinator.com/item?id=5000000
But this 404s: https://news.ycombinator.com/item?id=4999999
Also, if SSL is now a permanent thing for HN, it would be a nice bonus to see "add_header Strict-Transport-Security max-age=31536000;" in the nginx configuration block for the https server...
I doubt the arrow is going to change much, and if it does, just use a new reference!
>Now nginx is helping with some of the work. Ironically the transition was planned for today anyway, except it was meant to happen at night with no downtime. So it goes.
Does this mean that HN no longer uses Arc, but nginx? Or are you using nginx+Arc now?
https://www.ssllabs.com/ssltest/analyze.html?d=news.ycombina...