Results 1 to 6 of 6

Thread: Possible Performance Hit

  1. #1
    PGD Community Manager AthenaOfDelphi's Avatar
    Join Date
    Dec 2004
    Location
    South Wales, UK
    Posts
    1,245
    Blog Entries
    2

    Possible Performance Hit

    Hi all,

    Over the weekend, my server (that hosts PGD) started reporting excessive process warnings on the monitoring solution I use to keep an eye on things.

    In investigating this it's become plainly apparent that there are a lot of weird connections coming into the server from some dubious IP addresses. Many of these are already being handled by the firewall and the hosting management software, but some were not and these seemed to be intent on keeping connections to the mail services alive for an indefinite period of time.

    To try and combat this I've added some rules to the firewall to limit simultaneous connections. The downside of this is that you may notice a slight performance hit when surfing the site as connections could be rejected during page loading.

    I'm doing my best to ensure the server is safe from malicious activity and right now, this is the best solution I can come up with. Looking at some monitoring of the network it appears to be working.

    If you do notice any issues, please post details here.


    Thanks
    :: AthenaOfDelphi :: My Blog :: My Software ::

  2. #2
    PGDCE Developer de_jean_7777's Avatar
    Join Date
    Nov 2006
    Location
    Bosnia and Herzegovina (Herzegovina)
    Posts
    287
    Works mostly, and it's almost as fast as it was before (PGD may have been sluggish due to the increased number of connections). Sometimes it can't connect but it's fine as a mitigation.
    Thank you for working on it.
    Existence is pain

  3. #3
    Quote Originally Posted by AthenaOfDelphi View Post
    but some were not and these seemed to be intent on keeping connections to the mail services alive for an indefinite period of time.
    Are we talking here about connections to mail services using mail protocols like POP3, IMAP and SMTP or are we talking about connection being made toward web mail interface.
    If we are talking about connections through mail protocols then you could easily set up conection limit in your firewall in such a way so that it doesn't interfere with webpage as you can go an impose a connection limit only to a specific ports that are being used by these protocols:
    POP3:

    • Port 110 - this is the default POP3 non-encrypted port
    • Port 995 - this is the port you need to use if you want to connect using POP3 securely

    IMAP:

    • Port 143 - this is the default IMAP non-encrypted port
    • Port 993 - this is the port you need to use if you want to connect using IMAP securely

    SMTP:

    • Port 25 - this is the default SMTP non-encrypted port
    • Port 2525 - this port is opened on all SiteGround servers in case port 25 is filtered (by your ISP for example) and you want to send non-encrypted emails with SMTP
    • Port 465 - this is the port used if you want to send messages using SMTP securely


    Only in case of possible attacks on web interface you would not be able to impose a connection limit without affecting PGD webpage as both work on port 80 for initial connection and then port 443 for maintaining a secure connection using HTTPS.

  4. #4
    PGD Community Manager AthenaOfDelphi's Avatar
    Join Date
    Dec 2004
    Location
    South Wales, UK
    Posts
    1,245
    Blog Entries
    2
    It wasn't just mail these connections were appearing on which is why the connection limit is affecting everything.

    It appears to be some kind of TCP SYN attack as the connections are in the SYN state as though the server has responded to the SYN request with a SYN+ACK and is waiting for the client to return ACK.
    :: AthenaOfDelphi :: My Blog :: My Software ::

  5. #5
    Quote Originally Posted by AthenaOfDelphi View Post
    It appears to be some kind of TCP SYN attack as the connections are in the SYN state as though the server has responded to the SYN request with a SYN+ACK and is waiting for the client to return ACK.
    Well this is a completely different matter then.
    Here is what I'm wondering. Who would want to launch a TCP SYN Flood attack against PGD? What would they gain by doing this?
    Now if you perhaps host some other sites from your servers it it possible that one of them might be the actual target for the TCP SYN Flood attack. Perhaps they might be even executing TCP SYN flood attack toward PGD in order to make it less obvious that they are attacking another site on your server since clogging the server would take down all of the sites hosted on it any way.

  6. #6
    Hi, I did not notice any drop in performance, thanks for working on it.

    _______________________________________________
    ShowBox Tutuapp Mobdro
    Last edited by davido; 23-04-2020 at 04:45 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •