Limit hostname lookups

[Sir Osis of Liver]

As posted elsewhere, I've run into a problem with hostname lookups crashing an account during bot attacks.  Processes were maxed out repeatedly by bots, eventually crashing ftp, cpanel, forum and website above it.  Processes had to be manually ended to restore everything.  Host support isolated the problem to Subs.php -

Code Select Expand


// Try the Linux host command, perhaps?
if (!isset($host) && (strpos(strtolower(PHP_OS), 'win') === false || strpos(strtolower(PHP_OS), 'darwin') !== false) && mt_rand(0, 1) == 1)
{
if (!isset($modSettings['host_to_dis']))
$test = @shell_exec('host -W 1 ' . @escapeshellarg($ip));
else
$test = @shell_exec('host ' . @escapeshellarg($ip));


Code is the same in 2.0 and 2.1.  Illori identified it as hostname lookups triggered by IP bans.  Disabling lookups stopped the processes spikes, been running flat at minimum for past 5 days despite continued chinese bot traffic.  As I understand it, what basically happens is the ban system is overloaded if there are a lot of IP bans and a lot of bots hitting them.  Would it be possible to restrict hostname lookups if they reach a predetermined level, similar to maximum emails to send per minute setting?

[Arantor]

No, not really because that's not the problem - it's not that the ban system is overloaded as such, but that the total traffic is new to the site (no session) and the system has to go look it up just in case there's a ban.

It is nothing to do with IP bans, solely hostname bans.

And in reality the effort required to work out how many requests have been done lately will be problematic too - so better to just not do a lookup at all (there is a reason no other forum provider offers this) and deal with it with other methods.

[Sir Osis of Liver]

Disabling lookups does solve the problem, but the info popup tells you -

This disables host name lookups, which on some servers are very slow. Note that this will make banning less effective.

The thing is, lookups are enabled by default, and there are no errors logged or anything to indicate what's causing problems.  If you don't know where to look, and host support is crappy (not an uncommon condition), things will go badly.  And the processes spikes will crash everything in the account, not just the forum.

Has anyone ever considered having the ban system place IP bans in .htaccess, maybe as an option, or is that not possible?

[Arantor]

Not every host uses htaccess though, and some hosts (especially back in the day) would 500 your site if you tried to use an htaccess file.

Not to mention that the ban syntax has changed in more recent times.