This had already happened once, and happened again last Monday. All at once, my web site www.marcocantu.com (and all other sites on the same server) slow down and comes to a halt. This is due to dozens of consecutive downloads of some rather large files (ZIP files with book examples, PDF files) from a single IP address, assigned to some remote location. It was Belarus the first time, Algerie this week (according to afrinic.net the IP is assigned to Algerie Telecom FAWRI). Restarting the Apache server is no help, as after a couple of minutes everything is jammed again. I guess I could ban the offending IP, but it seems a temporarily solution. This is an example of the log during an attack (click for big version):
The impression I have is that this is not a volunteer Denial of Service (DoS) attack, but a faulty "web site download/mirroring" program that causes the DoS situation. But I might as well be wrong.
What I've ended up doing both time, it to remove the handful of files subject to the attack, and either rename them or move to a separate download service. In particular, I ended up moving most of the files in the download area of my Marco Cantu Tech World Google Group. This seems a good approach in general (as I save some bandwidth for better use), so I'll keep the files there and probably add a few more... that is, unless people find it inconvenient.
By the way, this is a second log, after I removed the files. Notice the frequency of the requests of the missing files, many times a second (again click for details):
If you know anything about this kind of attacks, and have any other suggestion, let me know.