Hi,
I noticed that studentd are attacking moodle in a very simple way.
They hold down the F5 key and after a whyle we get "Resource Limit Is Reached".
What can be done to avoid this? What are the possibilities?
Thanks
Moodle crashes when students press F5 (refresh) continuously
by Graciano Torrão -
Number of replies: 9
In reply to Graciano Torrão
Re: Moodle crashes when students press F5 (refresh) continuously
by Matt Bury -
Hi Graciano,
If your students are repeatedly sending the same HTTP requests to your server in order to deliberately use up all its resources, that's called a denial of service attack ( https://en.wikipedia.org/wiki/Denial-of-service_attack ). In some countries, it's regarded as a legitimate form of protest, like holding demonstrations, while in others, it's regarded as a criminal offence (e.g. UK and USA).
Do your students know what they're doing? Do they have malicious intent? Perhaps a conversation with your students would be helpful?
And yes, there are defences against denial of service attacks. I recommend getting some expert advice about which would be most suitable according to your particular circumstances.
I hope this helps!
In reply to Graciano Torrão
Re: Moodle crashes when students press F5 (refresh) continuously
by Ken Task -
@Matt is right but still some kiddo's don't heed warnings. :\ So one must be prepared to do more than talk. That being said, there is something that might help:
While it does say and is about centos7 it can be used on just about any linux/apache system, me thinks.
'spirit of sharing', Ken
In reply to Graciano Torrão
Re: Moodle crashes when students press F5 (refresh) continuously
by James McLean -
Personally I would have thought that if a few students refreshing a Moodle page repeatedly was enough to exhaust all your resources, there are probably issues with the environment capacity.
Are you sure it's the students and not actually a real attacker?
In reply to Graciano Torrão
Re: Moodle crashes when students press F5 (refresh) continuously
by Jeff White -
Your system would have to be extremely under powered for a human being to be considered overloading your server by hitting F5 multiple times. It could just be regular users venting their frustration at page load times by hitting F5 multiple times. Try your best to determine if this is a malicious attack or your system or just regular users compounding the issue because your system is already near capacity.
Check how many requests you are getting per minute by a single IP address and how long the requester keeps the request open (see syn flood). If they are using some kind of program to overload your server then yes it is a problem and I would audit the logs from your server and hand it over to the security team for your University or company. Real DOS attacks are taken seriously (like 10 years in prison) and if its a student doing this on the local network with their own computer then higher education is really not for them.
You can easily make a rule to ban an IP address for X amount of time because of too many requests. Check out Fail2ban.
In reply to Jeff White
Re: Moodle crashes when students press F5 (refresh) continuously
by Matt Bury -
Hi Jeff,
If users hold down the F5 key, as Graciano described, it continuously sends requests (many per second) to the server. This is very similar to a DoS attack. If multiple users do it continuously and no HTTP accelerators or counter-measures are in place, then it's not unlikely that a server would slow down to a crawl.
Ken's recommendation of using mod_evasive would more than likely prevent this particular kind of abuse. It's a popular 3rd party module so the instructions there are plenty of tutorials/instructions available for whatever server setup you may be using; Centos, Debian/Ubuntu, IIS, etc.. You can also check the logs that mod_evasive generates to find out who the guilty party/ies is/are.
In reply to Matt Bury
Re: Moodle crashes when students press F5 (refresh) continuously
by Jeff White -
Thanks Matt. I was not actually aware that browser had that capability and just though he was describing a regular user just hitting F5 over and over. I would still think it would take a lot of users doing this to knock out a production environment.
Seems like a major flaw with browsers being able to do this.
In reply to Matt Bury
Re: Moodle crashes when students press F5 (refresh) continuously
by Rick Dennis -
Guys, this sounds like one of those right wing conspiracy beliefs. You have a group of idiots in union-son hitting the F5 key, refreshing the page and bring down the site, yea right. At least believe a few zombie computers are involved to repeatedly calling the URL of the site for a real DOS attack. Are their fingers tired yet? Geezzzzzzzzzz...... the only way this belief could work with the little fingers not getting tired is if Moodle was running on someone's cell phone. Even on an old server running Moodle, this belief of a group of users hitting the F5 key and bring down the server is a flat earth group idea.
This Resource Limit Is Reached, is going to have another cause plain and simple.
The belief of a DOS attack with a bunch of idiots hitting the F5 key is so ridiculous I can not believe anyone could believe such an idea.
In reply to Rick Dennis
Re: Moodle crashes when students press F5 (refresh) continuously
by Matt Bury -
Hi Rick,
It's not as far fetched as you might think. Moodle is a very heavy web app.
According to Moodle docs the rough rule of thumb for Moodle 2.9 is 1GB memory can support up to 10 - 20 concurrent users.
Say the average page takes 0.5 seconds to serve, then 40 requests per second would more or less give an mean of 20 concurrent requests. Request processing will take longer when the server is busy so the effective number of concurrent requests will increase exponentially as the server gets close to its limits.
Roughly speaking, say the keyboard repeat rate is set to 32 repeats per second (teksavvy users can increase this), then 2 users holding down their F5 keys will produce a flood of 64 HTTP requests per second, at least 1.5 times higher than a server with 1GB of memory can handle. >12 users holding down the F5 key on a particularly resource intensive Moodle page, e.g. a quiz, could maybe take down a server with 16GB memory. (More knowledgeable Moodlers may want to correct this rough, linear calculation with something more accurate).
Exact figures will depend which pages users send the requests for, e.g. Quizzes are more resource intensive than Pages, for example, as well as the speed of the CPU, connections to database, etc. (There's a script here that can help with testing that: https://moodle.org/mod/forum/discuss.php?d=57028&parent=772267 - Remember to test the server at a non-busy time and delete the script from the server when you've finished)
There are also 3rd party services that can simulate DoS attacks for you to test the strength of your server setup.
I hope this makes sense.
In reply to Matt Bury
Re: Moodle crashes when students press F5 (refresh) continuously
by Dan Marsden -
definitely not far-fetched. I've seen similar behaviour on a number of self-hosted solutions - often it's solved by improving the configuration of the web-server.
One scenario I saw a long time ago - a teacher had uploaded some large video files to their course and rather than downloading them on the home internet connection a students flatmate loaded some form of automated download software on their laptop and pasted in the links to the video files - when that student came on-site and connected to the network the downloader kicked in and tried to download the files. Problem was that the file download required the student login first and it didn't share the session with the users web-browser. The software tried to download all the files at once and made very quick subsequent re-attempts as each attempt failed. This caused a significant load on the windows-based server... A number of different configuration changes were made to prevent this kind of load from taking the server down (it took quite a bit longer to convince them to move off windows but we made it in the end!!)