Ipb Causing Too Many Connections?

[Capt'n Morgan]

What's a normal amount of connections to appear per user (IP) on IPB?

My host is blocking valid users becaue they see anywhere from 80 to 180 connections from an IP. These are regular users that aren't doing anything malicious. I don't know why so many connections would appear. Is this normal?

[Darkside_RG_merged]

:unsure: Did they say which ip's ?

Could be the dreaded AOL proxy thing so they aren't all one user perhaps ?

[Capt'n Morgan]

:unsure: Did they say which ip's ?

Could be the dreaded AOL proxy thing so they aren't all one user perhaps ?

The IP's I looked up were from Comcast, the biggest IP in our area.

[bfarber]

The number of connections from an IP to your web server would have nothing to do with the software installed (IPB or otherwise)...

Or are they talking about your mysql server, in which case the IP should ALWAYS be the webserver's IP?

[Capt'n Morgan]

The number of connections from an IP to your web server would have nothing to do with the software installed (IPB or otherwise)...

Or are they talking about your mysql server, in which case the IP should ALWAYS be the webserver's IP?

This was the command they ran:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Does that help?

[Capt'n Morgan]

I'm also led to believe it's apache, because the server techs said;
"(the IP) created more than 100 connections per time on port 80 your VPS"

[rct2·com]

We have seen this on our server. Analysis of the http logs has shown that it's the same IP asking for the same IPB URL hundreds of time per second.

We suspect that it's a bot trying a Denial of Service (DOS) attack.

I suggest that you get the IPs from your hosts then look at the logs to see what URL those IPs are trying to hit, and how frequently. It may be a URL to your IP.Board, it may not.

Either way, we now use the ddos script on our server and the apf software firewall to temporarily block IPs which make too many connections.

[Capt'n Morgan]

We have seen this on our server. Analysis of the http logs has shown that it's the same IP asking for the same IPB URL hundreds of time per second.

We suspect that it's a bot trying a Denial of Service (DOS) attack.

I suggest that you get the IPs from your hosts then look at the logs to see what URL those IPs are trying to hit, and how frequently. It may be a URL to your IP.Board, it may not.

I don't think it's a DOS attack, because it's coming from a local, regular user's home PC. We see it from different IP's belonging to regular users that wouldn't have a clue or reason to do something malicious.

[Darkside_RG_merged]

:unsure: A shed load of Tabs set to a to high auto refresh and some clever Richard using one of those speed up guides to jack up requests by some silly amount ?

[bfarber]

In any event, there's nothing in IPB you can do to "fix" this - the user is simply making too many connections to your site simultaneously.

They could have a virus or something on their PC for all you know. Block them via htaccess or iptables and let them know the problem.

[rct2·com]

I don't think it's a DOS attack, because it's coming from a local, regular user's home PC. We see it from different IP's belonging to regular users that wouldn't have a clue or reason to do something malicious.

In any event, there's nothing in IPB you can do to "fix" this - the user is simply making too many connections to your site simultaneously.

They could have a virus or something on their PC for all you know. Block them via htaccess or iptables and let them know the problem.

Yes this is the point I was making. When we see our attacks, it is the same IP hitting the same URL hundreds of times a second. We assume it's a 'bot' that has infected people's PCs. If you look at hour weblogs and see the same IP hitting the same URL hundreds of times per second, it's a sign they have a bot.

I can recommend the apf firewall and ddos script. IT is a good way of temporarily banning IPs that have too many connections. You specify 'too many' and 'temporarily'. The script runs under CRONtab every couple of minutes.

You don't need the firewall to use the script, but a further advantage of the firewall is that it checks every 24 hours for known 'bad' IPs and automatically bans them.

[Capt'n Morgan]

I guess my take is that if a user happened to be infected with a virus, why would it choose our site to keep beating on? It's happened from several different user's IP's.

I would think it's more likely that they have a tabbed browser and they are trying to open several windows at once.

My host has blocked their IP's, but I've asked to have the block removed, because I don't think anything malicious is being done. I'm thinking that something is causing the server to slow down and then a few extra hits from the users are back-logging.

What might be a normal number of connections (if that's what the netstat command was showing) per web page?

[rct2·com]

The netstat command doesn't show connections per page, it shows connections to your server. The weblog will tell you what URL the IPs are targetting.

As to why a bot should choose your site, well that's down to the bot. It may look in the user's Favorites folder, or it may pick up a 'hit list' from a central site somewhere. Just 2 examples.

I'll try my suggestion for the 3rd time. If you look in the weblogs and see that these 'rogue' IPs are hitting on the same URL hundreds of times a second, it's a sign there is a bot at work. When we were under sustained attack like this, it was a particular topic, so http://<forum_url>?showtopic=<topic_num>. This entry was being 'hammered' by each IP that had too many connections. Even after we removed the particular topic, the attacks on that URL continued.

I strongly advise that you look at the logs and eliminate this as a factor before you start considering tabbed browsers. 80 to 180 connections is very unlikely to be caused by tabbed browsers.

[Capt'n Morgan]

In any event, there's nothing in IPB you can do to "fix" this - the user is simply making too many connections to your site simultaneously.

They could have a virus or something on their PC for all you know. Block them via htaccess or iptables and let them know the problem.

What should I look at if it's ALL my users?

My server management service installed a filter to auto block IP's with over 100 connections, and within a half hour, there were about 50-60 blocked, all of them from local, regular users.

Is there a bug in IPB that could be causing this? I have v2.3.1.



rct2dotcom, I'll see what I can find out by looking at my logs. The problem is they are huge and I don't know my unix enough to filter out just what I need. I probably need to grep out an offending IP address and a the current date, right?

[bfarber]

Please clarify - are these web connections, or database connections?

It MUST be web connections I assume, because database connections all come from one user (your mysql user) and there's no filter a host can put in place that would selectively block a user.

So, If I'm understanding this all correctly, and your host is telling you they're seeing 100+ simultaneous connections to your site from single IP addresses, the answer to your last question is no - there is nothing in IPB that would cause this, or allow you to prevent it. If it's happening with many users (50-60) I would be very inclined to say your host has a configuration/routing issue on their network, but I really have no way of knowing from here.

[rct2·com]

Yes a grep should do it.

I agree with bfarber that this is nothing to do with IPB, and is likely to be at the Operating system or network level. It looks as though your visitors clients [their browsers] are getting the impression that the server is dropping their connections after every HTTP request, so they create a new one [An IPB page can cause many HTTP requests to be generated, depending on how 'heavy' your pages are on graphics]. Every image is a separate HTTP request.

My guess is that because the server isn't actually sending the client a message that it wants to drop the connection, IT is holding the connection active, while the client is opening a new connection assuming that the previous one is dead, hence the large number of connections reported by the netstat command.

The DDOS script that I use includes that exact netstat command to find out connections per IP. It is set to ban IPs when they reach 150 connections. It hardly ever bans anybody. Right now [as an example] it is showing:

10 visitors with 1 connection
09 visitors with 2 connections
06 visitors with 3 connections
04 visitors with 4 connections
04 visitors with 5 connections
01 visitor with 6 connections
01 visitors with 7 connections
02 visitors with 9 connections
01 visitor with 10 connections
Localhost 127.0.0.1 with 14 connections
01 visitor with 22 connections

I'd say that was a fairly typical profile for an IP.Board. Our server has very few static pages. About 98% of our bandwidth is serverd by IP.Board.

Can you confirm that you haven't modded your IP.Board code please.

Do you have access to the netstat command? Typing it on its own would give some other clues about the status of these connections [TIME_WAIT, ESTABLISHED, FIN_WAIT2 etc] and the type of connection that is being made.