This morning I noticed that the server where this site is hosted was responding very slowly for some minutes. I barely managed to log on and noticed that the load average for the machine was around 80! All the runnable processes were Apache server processes, so I suspected some kind of DoS attack.
Fortunately, the load returned to normal levels after a couple of minutes and, looking at the server logs, I saw a long string of requests from a user-agent that identifies itself as “Straw/0.25.1″. The problem is that there were about fifty consecutive requests in less than three minutes’ time!
Googling around I found Straw’s home page and learned that it’s a desktop news aggregator for Gnome. I don’t think I am exaggerating by affirming that an aggregator that manages to send fifty requests in three minutes is an incredibly sucky piece of code.
Some technical details follow:
The aggregator was evidently programmed to fetch the "/?flavor=rdf" URL. That was the URL of my RSS 1.0 feed when I was still running blojsom. Now that I’m using WordPress, the query parameter is ignored, so the request fetches my home page — in HTML, 18853 bytes served per request — is probably confused by it and happily retries immediately, fifty times in a row, without even pausing to think!
The requests came from the 84.191.68.245 IP address, which resolves to p54BF44F5.dip.t-dialin.net. This is probably a dynamic IP address for a dialup connection to Deutsche Telekom. If you are reading this and recognize yourself, please program your aggregator to use this URL instead: http://agylen.com/feed/.
In order to avoid this happening again, I’ll try to install an appropriate mod_rewrite rule. Failing this, I’ll have no other option than blocking an entire D-Telekom subnet, since the IP address is clearly dynamic.
0 Responses to “Straw sucks”