Yep. This is Google explaining to Apple that they aren't the only one with patents. The monster patent portfolios of all the big players have exist in part to deter other large players from launching patent wars. It is a form of 'Mutually Assured Destruction'. Apple went nuclear starting a couple of years ago. Google (and other large players) are now launching their counter-strikes to demonstrate to Apple why it is a bad idea.

If Apple has any sense (more likely now that Steve Jobs is gone) they will begin quietly trying to wind down the patent wars.

A "small" DDOS attack is more than enough to down an unprotected machine. I experimented with less intensive approaches *first*. If I limitted the number of Apache connections they would run up the number of open connections until the server quit responding. If I let the number processes grow, they would keep adding connections until the machine ran out of memory to support additional connections. With a pool of more than 30K potentially attacking machines it takes an *incredible* amount of resources to just 'ride it out'.

You run into multiple limits: How many simultaneous TCP connections can your system handle? How much memory does it take per connection? How much CPU does it take to context switch between thousands of connections?

It was a simple yet very effective attack. If you didn't have a good sysadmin who *could* erect an intensive defense your choices would be

1) Let your site go down.

2) Pay a DDOS defense service to defend you.

True, they *could* have escalated it to a packet flood (and oddly enough naively dropping the TCP packets actually initially converted the HTTP Flood into a SYN flood - which didn't pose much of a problem for me at the rates they were running).

But it is much more resource intensive for the attacker and they are optimising return on investment. They can waste time dedicating their botnet to packet flooding a minor site with no financial payoff even if they succeed in bringing it down, or they can move on to easier targets where they can continue to 'time share' the botnet traffic among multiple targets.

It really is the 'why have locks on your doors and windows when the thief could kick them in' argument. Sure - he *could*. Or he could move down the street to the house that left their bathroom window open when they went to work.

Yes - but they don't change web browsers with every sequential request. ;)

Rate limiting IP addresses doesn't work when they are only hitting from any specific source IP address a few dozen times per hour. They bury you by having tens of thousands of different machines all hitting you independantly. You can be getting hundreds of requests per second and never trigger the rate limitting.

The essence comes down to two things. Neither is particularly complicated in principle, although getting it right can be a bit fiddly.

1) Detect attacking IPs.

HTTP Flood DDOS bots aren't (at least not yet) smart enough to look and behave EXACTLY like people using web browsers. They do wierd things like load web pages repeatedly while never loading images/running javascript/loading CSS stylesheets. They make sequential requests from the same IP address - but with different user agents. They might load a web page that uses cookies - but never return the cookies that are set. Or they might return a cookie - but from a different source address or with a different user agent. They might send user agents that haven't been in widespread use in half a decade. They might not set the 'referer' header, or some other header that a browser DOES set correctly. They probably don't follow HTTP redirects. What you are looking for is any behavior that distinguishes the good traffic and the bad traffic.

So I 'tailed' the web server log and analyzed it in one to ten minute chunks to detect abnormal accesses. All detected addresses were added to a persistent database of blacklisted addresses.

2) Add the detected attacking addresses to an efficient firewall.

A naive firewall blacklist might try to just put each addresses in one big long list. This doesn't scale well beyond a couple of hundred attacking addresses. On the older machine I had, I used a 'divide and conquer' approach: I created a few hundred filter chains based on a /n subnet division of the attacking ip addresses. I then wrote a set of rules that divided incoming traffic into those chains based on the /n they were a member of. That made the number of rules required to filter n attacking IP addresses scale as about O(log n). If I had had a more recent kernel I could have used a hashed map of addresses to take that down to O(1).

After that it became a slow game of cat and mouse. The attacker would alter his attack to try and slip by the detection, I would update the detection software to detect something else he wasn't getting perfect if he managed to by-pass the filters. After about two weeks they quit attacking the web server.

The largest issue I had really was that I was starting my defense from a 'standing start': I had to write all the needed scripts from scratch while the attack was still on going.

Having been the target of an HTTP-DDOS attack, I can tell you that manually blacklisting IP ranges is really ineffective. A DDOS botnet is comprised of thousands of machines that have been randomly infected by whatever vector the botnet operator used: Emails, web drive-by, etc. The result is that the source addresses are scattered widely with little relation between most participating addresses.

To defend against the attack, I wrote up an automatic firewall blacklisting program that detected and blocked each participating IP address individually in near-realtime. I was blocking more than 31,000 separate addresses before the DDOSers finally gave up trying to down the attacked website. Wierdly, there appears to have been no motive at all for the attack, yet they spent weeks attacking the target machine and actively trying to tune their attack to get past my filtering.

I use a system of rsync over ssh to do both onsite and offsite backups daily with a rotating system of hardlinked trees that give me seven days of daily backups, 5 weeks of weekly backups, 3 months of monthly backups, 6 months of quarterly backups and 1 year of semi-annual backups with each location doing both local backups and remote backups for the other site (which are 40 miles apart).

1) That report is a year old (July 2010). The current numbers are revealing.

2) Installed base is not the same as trend. There are more installed Windows XP systems in the world than Windows 7 systems. That doesn't mean XP is 'winning' the desktop OS.

3) W3Techs shows CentOS's market share hit its peak at about 10 or 11% of web sites, not 30%. The 30% number was the fraction of Linux web servers, not all web servers.

4) Since about Oct. 2010 CentOS has lost market share (dropped to circa 9%).

5) Ubuntu is growing much faster than anyone else is.

1. That quote is just under a year old, was a random comment with no evidence that the poster was who they said they were, that they knew what they were talking about, and was talking about the winter in 2009 to boot.

2. It doesn't matter globally if it froze people's balls off in England: Local Weather STILL isn't Global Climate.

1. Even if the Sun were to enter a Grand Minimum it would only offset warming for a few decades. And when the minimum ended, all that warming would come rushing right back.

2. 2010 is on track to be the warmest year ever in modern history. Think about that. The Sun is in the deepest minimum in around a century, scarcely a sunspot to be seen and we are still breaking the all time record for warmth globally.

3. It may be cold in England. But it is way above normal in Greenland. What part of Global don't you understand? Local weather has little to nothing to do with global climate.

Not everyone follows the pop charts.

I had to Google her to find out what she has done. The only song I recognized was the Eminem song she was mixed into. That said, she is a decent singer who's 'Thank You' reminds me of BoA's Duvet.

I think that's the point of this discussion, getting 1200 vpixels didn't used to be "specialty".

Every computer technology eventually becomes a specialty item.

Usually not too long before it passes away into the land of completely obsolete and from there into the land of 'found only in museums'.

Yeah, a whopping 10 of them, all expensive. Now see count how many 16x9 there are!

You are comparing apples and oranges. If you want the cheap commodity monitors you have to live with what the main market wants: 1080p. You are looking for a specialty monitor when you talk 1200 tall. You get to pay more for that. That's just basic supply and demand economics.

If you don't like it, that is your problem.