While I make myself at home in this newly installed MTOS backend (I know, the blog layout still looks the same... babysteps ;) ), I wanted to share this little trick that is maybe public domain but personally never realized until tonight...
As you know the Internet is a noisy place. Part of this noise is "visible", and is made by you and me, hyperjumping from one website to the other, leaving comments on site, writing our own blog, buying stuff on Amazon, searching google.
Most of the traffic on the net though goes unnoticed and is made by robots. Now there are good robots and bad robots. Good robots tends to behave so we're not concerned by them now; bad robots tend to either be there to spam, steal or hack into your website.
Usually there are pretty clever exploits to achieve these goals, but I find very enlightening to study even the magnitudo of damage they can bring just by being noisy.
Let me explain: it happens that I had a pretty old application that's been running fairly good for the last few months, out there in the wild, until the time, a few days ago, when it started receiving more and more traffic.
The traffic was of the "let-me-try-and-use-you-as-a-proxy" type, but even if that specific attack was blocked, an interesting side effect emerged: the session table (where temporary information about one interaction between the user and the site is kept) got quickly polluted and started growing at a scaring pace.
Now, if you're used to create web application, one of the basic tricks, together with caching the hell out of the website, is to disable all sort of unneded "user specific" data gathering. Here, for instance, there's a very good post on the topic, and on how to conditially enable sessions in parts of the site. What the post doesn't make clear (or not clear to me, that is) is that exceptions will still trigger the creation of a session. This happens, in other words, when the application can't map your request to an existing resource (action, file, image or other). Guess what, the spammy internet noise we mentioned earlier does exactly that.
If you're on Rails, one solution appears to be disabling session application-wide (even if you need them in all controllers) and then re-enable where needed. The post on Errtheblog has clear examples of how to do that.
Well, enough for this thursday night.
P.S.: MTOS indeed feels pretty sleek.
Leave a comment