Hits spikes - what software error?

[Gwaihir]

When I look at my site stats in some detail on top of practically every months stats are one or two DSL / cable users that generated a ridiculous number of hits. Different people each month, mind you, so in all I've spotted these spikes from at least a sources by now.

The pattern is always the same: a huge number of hits (100,000 to over 1,000,000) in a relatively short period (a few hours). I can't say I like this, as the handling of all these requests takes a lot of bandwith (150 - 600 megabytes of transfer) and it probably causes unwanted load on the server as well. Fortunately they have been very nicely spread out so far..

Does anyone have any clue to what is causing this? Does anyone see similar effects in his / her sites logs? Is there a subtle way to prevent this?

As I can't imagine that I have visitors that enjoy pressing reload for hours in a row (and very fast too), I assume this is caused by soft- and / or hardware at their end that incidentally misbehaves. My best guess is a malfunctioning browser window left open on my site for a couple of hours..

[gerilya]

I hardly see browser window 'misbehaves' like that.

I would probably bet on some aggressive search engine, which tries to index your whole site.

[Chappy]

Could it also be that someone is sending out e-mails or otherwise referencing a graphic on your site?

Not to long ago someone managed to upload a not so flattering graphic on my site and then referenced it in a lot of spam they sent out.

Do you have the HotLink protection enabled?

Just some random thoughts. They may have no meaning at all.

Hopefully they will help.

[Gwaihir]

Thanks for the input so far.

Gerilya: by 'hardly' do you mean "sometimes", or "none yet"?

Alas, I don't think either suggested cause can be it:

Search engine:
- one could index my site a dozen times over with that many hits
- the hits are not spread out: they all request the same page over and over, not pages all over the site
- from month to month the spikes come from a different origin, most of them having 'cable', or 'dsl' in there reverse DNS or being from a known cable-only provider. It would be a most weird setup for a search engine spider.

E-mail referencing:
- each spike is caused by one particular user (IP) making all requests, not by lots of users each requesting something once or twice
- I haven't seen it request an image yet, always a page (generally the main page)

[lookout]

From your description, this is probably not the cause, but you still might want to consider some robot restrictions on certain folders, and maybe even some limited hotlink protection. Google has quite a few of your site's images available via their image search. Some of them quite large in terms of file size.

[gerilya]

Originally posted by Gwaihir
Thanks for the input so far.

Gerilya: by 'hardly' do you mean "sometimes", or "none yet"?

I mean that although technically it might be possible, the hit rate of approx. 30-300 (100,000-1000000 / 3600) hits per second generated via browser would require a significant amount of resources, which would either shut the computer down or at the very least slow it down noticebly. Reasonable user would then close the offending application or restart the computer.

So, whoever does it, probably does it on purpose and the first 'purpose' that comes to my mind is a DoS attack (yeah, you can call me a paranoid ). Does your URL looks like a static page or dynamic one (.html, .php, .cgi, .pl)?

The additional information you provided pretty much clears the search engines, but I would still bet on automatic scripts.

[Gwaihir]

Thanks for the advice lookout. I'm aware of those issues. I already have a few robot restrictions in place. That large map - which is indeed quite popular - is meant to be found. That is: it is meant as a download, not an in-page image. I do hope people notice where they get it though. Also, I'm working on a major overhaul of the council website which will include hotlink protection, so I'm a bit lazy where it comes to temporary measures as well.

gerilya, I figured it would probably be a machine left unattended for a few hours, not switched off when the owners attention wanders elsewhere. In that case it can be a relatively common bug that doesn't suface to often, as generally one would click the page away. I'll look what pages it has happened with, among them is at least the main .html page.

The DoS option looks so weird. Why would a dozen different people practice their DoS script on me? I mean, it isn't nearly heavvy enough to be truly labeled an attack.

Update, some stats (from webalizer):

August '03

Spike dates: 9th and (mainly) 27th and 28th. Seem spread reasonably well around the clock. Do not show up in URL top 30 / top 10 - so I cannot see what page they request, if any. All direct requests.

Top 10 of 1843 Total Sites By KBytes
# Hits Files KBytes Visits Hostname
1 2199841 55.72% 198 0.68% 713698 33.49% 6 0.23% ********.coxinc.com
2 605498 15.34% 41 0.14% 195240 9.16% 1 0.04% ********.client.attbi.com
3 542301 13.74% 12 0.04% 176239 8.27% 2 0.08% ********.nc.hr.cox.net


Top 15 of 416 Total User Agents
# Hits User Agent
1 2200858 55.74% Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
2 1394800 35.33% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

March '03

Spike dates: 5th, 29th and 30th. Again so large / long that it seems spread reasonably well around the clock. Do not show up in URL top 30 / top 10 - so I cannot see what page they request, if any. All direct requests.


Top 30 of 1966 Total Sites
# Hits Files KBytes Visits Hostname
1 2826219 77.49% 656 2.01% 914224 44.82% 38 1.51% ********.tu.ok.cox.net
2 301540 8.27% 2 0.01% 97199 4.76% 1 0.04% *********.fttd-s.tudelft.nl
3 233292 6.40% 50 0.15% 76734 3.76% 7 0.28% ********.gh.centurytel.net
4 102995 2.82% 91 0.28% 33548 1.64% 3 0.12% ********.unimaas.nl

Top 15 of 430 Total User Agents
# Hits User Agent
1 2845106 78.01% Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
2 303262 8.32% Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
3 233403 6.40% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; .NET CLR 1.0.3

These are the two most heavvily affected ones in my logs. It is generally hard to find them in the hourly stats, as they average away so far. It is most noticable when there are suddenly one to three very busy hours late at night in a certain month.

And a bit from last month (Jan '04) to have the most recent here too:

Top 30 of 3186 Total Sites
# Hits Files KBytes Visits Hostname
1 436142 33.17% 48 0.10% 141100 5.33% 1 0.02% ********
2 191913 14.60% 86 0.17% 63904 2.41% 1 0.02% ********.client.comcast.net
3 121453 9.24% 37 0.07% 39211 1.48% 1 0.02% ********.speed.planet.nl

[gerilya]

I think you should start collecting raw logs and get them analyzed manually to get as much information as possible.

Bug explanation makes sense, but only if either 1) it's some not-so-popular browser (or may be combination of browser/OS) or 2) you have some fancy HTML code, which causes that bug Otherwise, similar complaints should pop up everywhere like mushrooms after rain.

As to DoS or any other hacking, there is no reasonable explanation for that kind of stuff . It usually goes like that: someone hacks/cracks/shuts the server down and then proudly posts the result on one of the "community" sites. Others read that and then try it themselves. Nowdays, it's easy to be a "hacker" with so many automatic scripts available for "educational purposes". You don't even need a computer knowledge, all you need is a reading skill and a free time, which those guys have plenty.

I am not sure whether it's appropriate to enter into too technical explanations here, but a browser bug that causes say 100 hits/second looks much more unlikely to me than a malicious script of some sort.