[ixpmanager] DoS Attack of IXP Manager Looking Glass
Barry O'Donovan
barry.odonovan at inex.ie
Tue Jan 19 09:03:32 GMT 2021
Rob Lister wrote on 18/01/2021 16:21:
> In recent months we've had a few instances of people really hammering
> our RS Looking glass, seemingly to enumerate large numbers of
> prefixes.
See Marco's suggestion re robots.txt.
> Whilst we are happy for the lg data to be available, this seems to be
> caused by someone walking the entire lg for prefixes for a
> particular ASN, making hundreds of connections in parallel, maybe
> 7-10 requests per second, > 3000 requests in a 5 minute period before
> our monitoring alarms.
This feels like a crawler.
There are a number of options - most configured out of the box - to
protect against this including:
https://github.com/inex/birdseye#security
At INEX, we'd typically allow greater probing of the collector rather
than the route servers (e.g. caching or not, MAX_ROUTES setting in .env).
- Barry
> lg requests are a bit computationally expensive to do, given that it
> requires a connection to the looking glass API and results to be
> cached etc.
>
> Is anyone else experiencing such (mis)usage patterns on their LG?
>
> Perhaps one solution might be to limit the number of simultaneous
> requests per IP address in Apache for that URL. Looks like Apache
> libapache2-mod-bw or the newer mod_qos is the way to go? Anyone done
> it?
>
>
> Thanks,
>
>
> Rob
>
>
--
Kind regards,
Barry O'Donovan
INEX Operations
https://www.inex.ie/support/
+353 1 531 3339
More information about the ixpmanager
mailing list