Changes to our handling of rogue requests

[whole diary]

[grahame]

I have updated our server and there's now a new (and far cheaper) error page send out to visitors from blacklisted remote address ranges. A cheap error page rather than returning a real response saves our admin team from having trawl through thousands of sign up requests, saves our server resources for use on handling real requests, and saves us from most attempts to inject code or content into our systems.

The volume of traffic from rogue addresses can be huge - 60,000 requests from a single location yesterday, with them arriving at a rate of over ten per second at a peak.  And in some circumstances, our server blacklists a range automatically. Very occasionally, a blacklisted lasso takes in a forum member as well as the rogue traffic - should you get an error page, please email me with the description block - example follows - and I can sort you out.  If you get a page like this - zero 'blame' on you.  It's probably because someone on a nearby address is being or has been naughty, or addresses have been re-assigned and you have been give one that previously caused us trouble. One or two members have, sorry, been caught a couple of times.

Description

You have asked for /error/errorpage.php
You have asked of (our server) vcrp.uk [88.202.183.177] on port 80
You have asked from (client) 77.101.27.190
You have asked using the GET method and HTTP/1.1 protocol
Your browser is Mozilla/5.0 (Macintosh; Intel Mac OS^▸ (Ordnance Survey) X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.1 Safari/605.1.15
You were referred here from http://vcrp.uk/
You received response code 200 ( OK ) at 10:15 on 1 Dec 20

If you think you should have received a real page - please contact me - graham/at/wellho/dot/net
Please copy and paste the description (above) in your email so I can resolve any problem.
Thank You.

We are always tuning things but we do need to keep some sort of traffic filter in place - both for the sake of our server, and our admin sanity too.

Here's an example of a "Denial of Service" attack last night (IP addresses obfurscated)


And here you can see how much we slashed the system load when we changed to the cheap blacklist (thicker black line is today ... other colours are previous days)

[grahame]

The volume of traffic from rogue addresses can be huge - 60,000 requests from a single location yesterday, with them arriving at a rate of over ten per second at a peak.  And in some circumstances, our server blacklists a range automatically. Very occasionally, a blacklisted lasso takes in a forum member as well as the rogue traffic - should you get an error page, please email me with the description block - example follows - and I can sort you out.  If you get a page like this - zero 'blame' on you.  It's probably because someone on a nearby address is being or has been naughty, or addresses have been re-assigned and you have been give one that previously caused us trouble. One or two members have, sorry, been caught a couple of times.

A couple of reports over recent days - so I have cleared most of the older records from the blacklist and have a "watching brief".  Hopefully the issues will be back to "very occasional" and the extra work on the admins to clear rogue sign-up requests will not be too great.  I do have a backup of the old blacklist in case it needs re-instating.