Monthly Archives: April 2016

Rule #553 of the Internet


DDOS Attack on Red Button on Black Computer Keyboard.

Rule #553 of the Internet: You know your app’s doing well when idiots make the effort to attack it for no apparent reason. For a while now, Textise has been suffering chronic perfomance problems and regular outages. You might have noticed. I certainly did!

First of all, my hosting company started complaining that Textise was hogging all the CPU on the shared server it was on. So they throttled it. This was understandable but reduced performance even further. It seemed that hundreds of  thousands of requests were hitting the app every day, all sourced from the Opera browser. Obviously, this immediately looked suspicious, given that Opera isn’t the most popular browser on the planet, and none of these requests were showing up in Google Analytics (which was presumably assuming them to be bots).

So, I signed up for CloudFlare, a proxy service that can filter out malicious requests before they hit your app server. CloudFlare found threats, and stopped them, but it seemed to miss the Opera-sourced attacks, which didn’t reduce at all.

Plan B: I moved Textise from the shared server to a dedicated, physical box. This costs ten times more a year but at least allows me to see exactly what’s going on. The new server coped better with the traffic but still had to be throttled to stop it crashing out on a regular basis.

Plan C: I added code to the Textise app to reject calls from Opera. This did, finally, reduce CPU, but I was unhappy about such a blanket approach.

Plan D: I trawled through the server logs and, with the help of the R Project, I extracted page hit info from Google Analytics so I could compare the two. Eventually, I found another way to identify the malicious requests, meaning that genuine Opera users would still be able to use Textise, and coded it into the app. I talked to the folks at CloudFlare, in the hope that there was a way I could configure CloudFlare to do something smilar, but it turned out that would cost me mucho cash, so the code stays in the application. This is a shame, as I’d rather these stupid calls were blocked well before they get anywhere near my server.

I’ve now also added SSL to the site. This doesn’t stop attacks, of course, but it means that your use of Textise is protected. A downside is the bookmarklet and Firefox add-on were slightly broken. I’ve now fixed the bookmarklet (to update, just drag it into your bookmark bar again) but, because Mozilla are changing the way that add-ons work again, I need to re-write the FF add-on, which will take a little while longer.