Attack on Nette.org with CTRL+F5

Notice: This thread is very old.
zkoumalek
Member | 6
+
0
-

Hello all!

First, i must say “congrats and thanks” to author Nette David Grudl and all community people! :-)

Question:
I see problem on my projects develop on Nette with F5 (CTRL+F5) attack.
We may “shut down” Nette.org with F5 or CTRL+F5 with small DoS attack.
Then is page unavailable for rest world :-(

Nette.org have same IP as forum.nette.org. But on forum (phpBB) have no problem with F5.

I need same results on as on forum.nette.org. I need my pages F5 immune.

I need solve cause.
Any tips guys?

Thank You very much for Your time and effort!

++++++++
CZ:
Ahoj všichni.

Předně musím pochválit Nette framework, jeho tvůrce Davida Grudla a super komunitu! :-)

Dotaz:
Zjistil jsem, že všechny mé projekty postavené na Nette lze “shodit”, či utnout dostupnost ostatním návštěvníkům podržením klávesy CTRL+F5.

Zjistil jsem, že Nette.org trpí stejným problémem.
Avšak forum.nette.org, které běží na stejné IP tímto problémem netrpí (PhpBB).
Toto fórum má “problém CTRL+F5” vyřešen.

Potřebuji získat stejný výsledek – abych své weby mohl chránit stejným způsobem.
Máte nějaké tipy?
Prosím o řešení příčiny. Problém je zjevně v Nette.

Velmi Vám děkuji za jakýkoliv tip a Váš čas.

Last edited by zkoumalek (2014-03-28 09:29)

llsm
Member | 121
+
+1
-

Hi,
I was not able to verify this, it actually doesnt make any sense. I tested one of my projects and main page of nette.org and both worked. Maybe slower, but worked. I think that problem could be your network or your lack of patience. Try this “attack” and use two different internet connections, for example use smartphone with mobile data.

Anyway, this should not be problem of php framework, but of its engine (web server, Apache or whatever you are using) and its settings.

zkoumalek
Member | 6
+
0
-

Hello llsm,

thank You very much for Your tip.

But i think it is not problem with network connection.

Try this example:
Start DoS with CTRL+F5 on fast fibre optic in USA (or DSL)

And web is not available on:

  • fast optic in Canada
  • ADSL in Netherland
  • ADSL in Slovak Republic

I think it is not network problem…

Nette.org will be down (or another pages). But with same test scenario forum.nette.org have no problem.

Thank You again.

llsm wrote:

Hi,
I was not able to verify this, it actually doesnt make any sense. I tested one of my projects and main page of nette.org and both worked. Maybe slower, but worked. I think that problem could be your network or your lack of patience. Try this “attack” and use two different internet connections, for example use smartphone with mobile data.

Anyway, this should not be problem of php framework, but of its engine (web server, Apache or whatever you are using) and its settings.

Tomáš Kolinger
Member | 136
+
0
-

llsm are right. This is not framework issue.

Nette.org is using more resources than forum.nette.org (or have less available resources?). But that's price of abstraction in code.

Milo
Nette Core | 1283
+
0
-

@zkoumalek If you observe some response lacks it can be due to session handler. But it is matter of PHP implementation or session storage. As far as I know forum doesn't use sessions.

zkoumalek
Member | 6
+
0
-

Hi Tomáš and Milo an llsm,

Thank You guys! :-)

Interesting info with sessions from Milo and Tomáš with resources.
Bandzone.cz, csfd.cz do not using sessions?
I think, yes?
On this webpages is no problem with sessions and “CTRL+F5 attack”.

Do You have any “solution” with “session problem” or some way…?

Thank You again! :-)

Tomáš Kolinger
Member | 136
+
0
-

Because big websites have own servers/VPS… Regular site like nette.org running on some webhosting, witch have really small limits in every aspect.

There is no general solution. You need monitor your application and find out where is your bottle neck. It can be sessions, database connections – count of concurrent PHP processes or something else.

This is not about “F5 Attack”. Problem is number of requests per second. This can be achieved in many ways (flood attack or just high number of visitors).

llsm
Member | 121
+
0
-

zkoumalek wrote:
Do You have any “solution” with “session problem” or some way…?

Try contact your hosting provider and discuss issue with him. Or if you have direct access to server, try fiddle with web server settings, there are plenty advices on internet about that. And if you figure out some solution, please post it.

zkoumalek
Member | 6
+
0
-

Hello Tomáš, llsm and Milo,

i will do some test on tuesday next week (i want try off sessions, etc).

I will post results here.

Thank You very much and have a nice weekend to all of us :-)

Filip Procházka
Moderator | 4668
+
0
-

F5 is no attack :) If you can kill you website just by refreshing the website, than the website is done really badly.

The session can be blocking and non-blocking depending on the storage and implementation. Blocking session means that all the previous requests must be completed to allow the webserver finish the last one. This limit applies to every single user, each user has “it's own queue”.

Try using console tools like curl or ab (apache benchmark) on your website, those are by default not sharing cookies/sessions.

Last edited by Filip Procházka (2014-03-28 16:32)

zkoumalek
Member | 6
+
0
-

Hello all again :-)

To Filip Procházka: I think… if CTRL+F5 shut down application, then it is “small” DoS :D

We have done some tests and problem is in database (bad qquestions, poor performance database, etc.). Here Filip have right.

Test with sessions off we want test in future.
I want post resume here. Do not worry guys :-)

zkoumalek
Member | 6
+
0
-

Hi guys.

We are doing some next tests.

Press CTRL+F5 and see top command on Your UNIX or Linux system. You will see, how Apache died :-)

Some tips:

  1. optimize DB
  2. Optimize Gzip compression on server and on application
  3. Optimize HTML
  4. Optimize images (use image sprites for incons, compress png, jpg gui (http://compresspng.com/))
  5. Use Nginx + PHP FPM instead of Apache, or Nginx for frontend (for static content – JS, CSS, img's…) and Apache with FastCGI as backend for PHP.

Etc.

We are want try some next test.
Best regards to all :-)