Attack on www_server: vir01 z63 fills up tablespace

• Article Type: General
• Product: Aleph
• Product Version: 20
• Relevant for Installation Type: Dedicated-Direct; Direct; Local;

We are experiencing a Denial of Service attack (from a Chinese address: 800 www transactions per minute; > 1 million per day.)

We have a robots.txt file but the attacker is not identifying himself as a robot.
We have an .htaccess file, but that doesn't seem to help.

The first symptom we saw was a severe slowdown in OPAC response time.

Our vir01 z63 table was having a record added for each transaction, and, later, we started getting these messages in the www_server log:

Oracle error: io_z63_write
ORA-01654: unable to extend index VIR01.Z63_ID2 by 1024 in tablespace

so other (legitimate) users were no longer able to establish sessions.

Recreating the z63 (using util a/17/1 in vir01) (temporarily) corrected that problem.

We have added a "W D ..." (www_server Denial) line to the $alephe_tab/server_ip_allowed table. This denies access (and prevents z63's from being created) but our www_server log is filling up with "[vrb] connection 0 illegal ip address 124.115.6.19 , denying access" messages.

Resolution:
See KB 16384-3937 for SQL (see link below) to diagnose whether this might be the cause of a slowdown in OPAC response time which you are seeing.

The site went to their Internet connection supplier and had them block the IP at their end. That solved the problem. (If the server is inside a firewall, the IP can be blocked in the firewall.)

In regard to .htaccess, see KB 16384-26899 (link below).