| View previous topic :: View next topic |
| Author |
Message |
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
 Posted: Thu Sep 14, 2006 5:58 pm Post subject: Too many connections. Please try again later. |
 |
|
We've added a mechanism for limiting the number of cuncurrent connections from a single IP address to help prevent DoS attacks. If you have more than 10 concurrent connections you will recieve the "Too many connections. Please try again later." 503 error message.
If you are getting this message it could be because of your browser settings. If you are using Firefox you can change the per-server connection limit by changing the following variable in about:config:
network.http.max-connections-per-server
The Fasterfox extensions is known to increase this to 16 (and not change it back if the extension is uninstalled). Setting that to a value of 10 or less should fix the problem.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
 |
Kruegi
Guru
Joined: 09 Feb 2005
Posts: 406
Location: Clausthal-Zellerfeld; DE
|
| Posted: Fri Sep 15, 2006 10:28 am Post subject: |
|
|
Two advices:
For the admins: Never expect the user to have special browser settings or alter any of these settings to make the website work!
For the users: Never change the browser settings because a website told you to do so!
Alltogether it may not be the best solution!
Thomas |
|
| Back to top |
|
|
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
| Posted: Fri Sep 15, 2006 1:39 pm Post subject: |
|
|
| Kruegi wrote: | | For the admins: Never expect the user to have special browser settings or alter any of these settings to make the website work! |
The site works fine as long as you don't have too many concurrent connections, otherwise you get a temporary 503 error. You don't have to make any changes for it to work as it's working exactly as expected. If you don't mind the errors you don't have to change anything.
| Kruegi wrote: | | For the users: Never change the browser settings because a website told you to do so! |
Fine, don't change your settings (although the user already has as the default is 8 ) but don't complain that you're getting errors.
| Kruegi wrote: | | Alltogether it may not be the best solution! |
It's the best solution we've got and a million times better than the entire forums going down when we get DoSed (which happens more than you'd think).
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
slick
Bodhisattva
Joined: 20 Apr 2003
Posts: 3495
|
| Posted: Sat Sep 16, 2006 12:09 pm Post subject: Re: Too many connections. Please try again later. |
|
|
| tomk wrote: | If you are getting this message it could be because of your browser settings. If you are using Firefox you can change the per-server connection limit by changing the following variable in about:config:
network.http.max-connections-per-server |
 
Please dont missunderstand me, but I think its really a stupid way. I get an "Too many connections. Please try again later." at every ~second site I load. Isnt possible to work with in the forum! I not want change my settings in firefox (for only this site), because I love to speedup my connections with an higher http.max-connections-per-server value. Please find annother way to prevent DoS attacks.
The solution, I dont know if they exists, is find a way to configure the network.http.max-connections-per-server value per domain. Then I will except the limits here. |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Sat Sep 16, 2006 12:16 pm Post subject: |
|
|
I understand this new limitation completely. As an admin (not here, though) I also get irritated because of all those "download accelerators" and "superstanza überfast web browser extensions". On a popular site those pretty quickly add up at the server side and make more harm than real use. Something like download accelerator if ok, if it fetches the different parts of file from different servers - but it sucks if it just opens 10 connections to SAME server, assuming that it would make things speedier. Of course it speeds up if administrators have set up per-connection transfer rates, but 10 connections instead of one? Puh-leez.
Same goes for http requests. 16 or more concurrent requests to same site at the same time? Hmm... not very nice.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Sat Sep 16, 2006 12:20 pm Post subject: |
|
|
Please also think about users behind a corporate proxy or alike.
Even with 25 allowed parallel connections to f.g.o i might get issues here due to that.
If at all then the x-forwarded-for header should be taken in consideration too. (of course there are a lot of proxies which filter this out)
a plain iptables statement (if thats whats been implemented in this case) purely looking at the number of concurrent connections is not the best idea.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
| Posted: Sat Sep 16, 2006 5:31 pm Post subject: |
|
|
We're looking at a solution for people behind proxies and we're considering upping the limit as long as it doesn't cause any problems.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Sat Sep 16, 2006 6:25 pm Post subject: |
|
|
| tomk wrote: | | We're looking at a solution for people behind proxies and we're considering upping the limit as long as it doesn't cause any problems. |
Have you tried to throttle on per file-type basis? Like "Allow unlimited connections to everything else except files ending .php". During page loads those browsers which have max-connections upped probably are loading all those pretty pictures and stuff and have only one .php connection open, at maximum. Right?
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
tomk
Bodhisattva
Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer
|
| Posted: Sat Sep 16, 2006 6:34 pm Post subject: |
|
|
| Janne Pikkarainen wrote: | | Have you tried to throttle on per file-type basis? |
Yes we've already got this implemented, basically when you request a page that's one connection.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
Janne Pikkarainen
Veteran
Joined: 29 Jul 2003
Posts: 1143
Location: Helsinki, Finland
|
| Posted: Sat Sep 16, 2006 6:43 pm Post subject: |
|
|
| tomk wrote: | | Janne Pikkarainen wrote: | | Have you tried to throttle on per file-type basis? |
Yes we've already got this implemented, basically when you request a page that's one connection. |
Oh. Ok. So that means you have keepalive connections on? 
Are the DoSsers using some typical web browser name or is the user-agent something identifiable? Restricting by user-agent could help for now, at least... though might be dangerous, too.
_________________
Yes, I'm the man. Now it's your turn to decide if I meant "Yes, I'm the male." or "Yes, I am the Unix Manual Page.". |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Sat Sep 16, 2006 7:48 pm Post subject: |
|
|
| Janne Pikkarainen wrote: | | Are the DoSsers using some typical web browser name or is the user-agent something identifiable? Restricting by user-agent could help for now, at least... though might be dangerous, too. |
uhh, please don't even think loud about such snakeoil 'solutions - from a security point of view this is even less useful than mac filtering on wep/wlan is.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
thumper
Guru
Joined: 06 Dec 2002
Posts: 552
Location: Venice FL
|
| Posted: Sat Sep 16, 2006 9:37 pm Post subject: |
|
|
I've never made any changes to how many connections konqueror makes, and I get the message every *other* click while browsing different message threads, and it's to the point of making the forums no longer usable.
AH HA!!! Found out why.
I have a habit of using my back button, when I do and click on a new thread it happens...
Now having to relearn habit grown over many years really can piss a person off. 
George |
|
| Back to top |
|
|
Earthwings
Bodhisattva
Joined: 14 Apr 2003
Posts: 7753
Location: Germany
|
| Posted: Sun Sep 17, 2006 7:30 pm Post subject: |
|
|
Repeating here what I already said on IRC: I think the number of connections allowed should either be increased to something >50 or the whole extension be dropped. It sucks, drives users away and has little benefit.
_________________
KDE |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Mon Sep 18, 2006 11:24 am Post subject: Re: Too many connections. Please try again later. |
|
|
| slick wrote: | | Please dont missunderstand me, but I think its really a stupid way. I get an "Too many connections. Please try again later." at every ~second site I load. Isnt possible to work with in the forum! I not want change my settings in firefox (for only this site), because I love to speedup my connections with an higher http.max-connections-per-server value. Please find annother way to prevent DoS attacks. |
Don't you get the fact that it's exactly those http.max-connections-per-server settings that contribute to the forum getting DoS'd?
When the forums go down, they go down for everyone. We (the admins) then have to a) notice the forums are down (we generally get alerts from our IRC bot about this), b) log in to the server, c) see which retard is causing the problem (it's very rarely deliberate) and then d) ban their IP address. During that time, nobody can browse the forums.
Later, we often have to deal with the "why can't I access the forums" email from said retard who can't figure out why he all of a sudden can't access our site. All of this takes a considerable amount of time.
This forum has always put the best interests of the community above the (selfish) desires of a few individuals and we will continue to do so.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
slick
Bodhisattva
Joined: 20 Apr 2003
Posts: 3495
|
| Posted: Fri Sep 22, 2006 3:26 pm Post subject: |
|
|
I understand the problem, but I hope there will be a better solution. I think its not a good way to say the users what they have to do. (And an little bit higher http.max-connections-per-server isnt a crime)
In the other hand, for example, anybody want to use freenet, he read the FAQ und read this
| http://freenetproject.org/faq.html#connections wrote: | Why does Freenet only download 1 or 2 files at a time?
Many browsers limit the number of simultaneous connections to something far too low for efficiently browsing Freenet (since Freenet pages often have much higher latency than web pages). This can usually be reconfigured. For example, for Mozilla, create a file with the following contents called user.js in the directory with prefs.js, or append to an existing user.js:
user_pref("network.http.max-connections", 200);
user_pref("network.http.max-connections-per-server", 100);
user_pref("network.http.max-persistent-connections-per-server", 10);
user_pref("network.http.max-persistent-connections-per-proxy", 50);
Note that these settings will cause mozilla to use more connections for all your browsing, which may not be desirable from a network congestion point of view; volunteers to make mozilla allow this sort of settings to be set per host would be welcome... |
After he changed the settings he was not able to use the gentoo-forum. In this case he first has to understand the problem (and I mean it isnt easy to understand for an noop for example) and then he must found a solution, for example use different browsers for freenet and forums.gentoo.org or use browser-profiles or ... or ...
I mean, if you want really want to do this, it will be nice there is not the short "Too many connections. Please try again later." message only. Better there is an short statement whats up. At the first time I red the message I checked my network, browse my logfiles and searching the failure on my computers because I cant understand it. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Fri Sep 22, 2006 7:43 pm Post subject: |
|
|
| slick wrote: | | I mean, if you want really want to do this, it will be nice there is not the short "Too many connections. Please try again later." message only. Better there is an short statement whats up. At the first time I red the message I checked my network, browse my logfiles and searching the failure on my computers because I cant understand it. |
I fully agree with slick here.
Even for someone like me as beeing networking professional the error message when seen the first time was/is misleading. Actually my first thought was 'uups, the forums get DoSed at this very moment, now hurry to find some of the admins to inform him about this'.
Not too far from the real issue but otoh not even close to what it is about... From a normal users point of view there's simply no chance to come to the conclusion his own browser settings are the issue here.
Just as reference have a look at how dnsstuff.com handles such issues - they give back a clear error massage stating that e.g. fasterfox with too aggressive optimization settings can be the problem. (plus the little detail dnsstuff handles this better when behind a proxy but the forums didn't/don't)
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
slick
Bodhisattva
Joined: 20 Apr 2003
Posts: 3495
|
| Posted: Sat Sep 23, 2006 11:51 am Post subject: |
|
|
At this moment I get an 503 with http.max-connections-per-server=10 while browsing (normal) the forum.  |
|
| Back to top |
|
|
dmitchell
Veteran
Joined: 17 May 2003
Posts: 1159
Location: Austin, Texas
|
| Posted: Sun Sep 24, 2006 5:20 am Post subject: |
|
|
How can I limit the number of connections under Konqueror?
_________________
Your argument is invalid. |
|
| Back to top |
|
|
dos14hk
n00b
Joined: 12 Jul 2006
Posts: 41
Location: Hong Kong
|
| Posted: Sat Oct 07, 2006 12:27 am Post subject: Too Many Connections : Please try again later [SOLVED] |
|
|
Recently i've been getting this on going to Gentoo forums, regularly (about 50-75% of the time):
Too Many Connections : Please try again later
Is it me or are the forum servers choking?
_________________
GIGABYTE GA-G1975X-C | Pent(D)3GHz | FSB:800MHz | 2GB:DDR2:667MHz | Seagate 80G SATAII x 2 : RAID 0 | Gentoo ~x86 DEV 2007.0 Desktop |
Last edited by dos14hk on Sat Oct 07, 2006 1:25 am; edited 1 time in total |
|
| Back to top |
|
|
dmitchell
Veteran
Joined: 17 May 2003
Posts: 1159
Location: Austin, Texas
|
| Posted: Sat Oct 07, 2006 1:11 am Post subject: |
|
|
See this thread.
_________________
Your argument is invalid. |
|
| Back to top |
|
|
dos14hk
n00b
Joined: 12 Jul 2006
Posts: 41
Location: Hong Kong
|
| Posted: Sat Oct 07, 2006 1:25 am Post subject: |
|
|
Many thanks.
_________________
GIGABYTE GA-G1975X-C | Pent(D)3GHz | FSB:800MHz | 2GB:DDR2:667MHz | Seagate 80G SATAII x 2 : RAID 0 | Gentoo ~x86 DEV 2007.0 Desktop | |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4734
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Oct 07, 2006 1:38 am Post subject: |
|
|
Moved from Networking & Security to Off the Wall.
[mod]This thread should have been made in the GFF forum as this relates to the forums.[/mod]
Hi.
That probably means that you're running something like fasterfox which opens many parallel connections to the forums. The forums were updated on September 14 to limit DoS attacks.
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
jdmulloy
Tux's lil' helper
Joined: 24 Dec 2004
Posts: 139
Location: Massachusetts, USA
|
| Posted: Sun Oct 15, 2006 8:00 pm Post subject: Second this |
|
|
| dmitchell wrote: | | How can I limit the number of connections under Konqueror? |
I'm having the same problem. I've serached the forums, google, kde-forums.org and kde bugzilla and no answer. How the hell do I fix this, it's pissing me off. |
|
| Back to top |
|
|
Earthwings
Bodhisattva
Joined: 14 Apr 2003
Posts: 7753
Location: Germany
|
| Posted: Sun Oct 15, 2006 10:09 pm Post subject: Re: Second this |
|
|
| jdmulloy wrote: | | dmitchell wrote: | | How can I limit the number of connections under Konqueror? |
I'm having the same problem. I've serached the forums, google, kde-forums.org and kde bugzilla and no answer. How the hell do I fix this, it's pissing me off. |
Question remains whether this should be "fixed" on your side or in the server configuration of f.g.o.
_________________
KDE |
|
| Back to top |
|
|
jdmulloy
Tux's lil' helper
Joined: 24 Dec 2004
Posts: 139
Location: Massachusetts, USA
|
| Posted: Mon Oct 16, 2006 12:50 am Post subject: Re: Second this |
|
|
| Earthwings wrote: | | jdmulloy wrote: | | dmitchell wrote: | | How can I limit the number of connections under Konqueror? |
I'm having the same problem. I've serached the forums, google, kde-forums.org and kde bugzilla and no answer. How the hell do I fix this, it's pissing me off. |
Question remains whether this should be "fixed" on your side or in the server configuration of f.g.o. |
Read what dmitchell said. I want to fix this on my end. I can't figure out how. I don't want to be greedy but I can't figure out how to tell konqueror to behave. |
|
| Back to top |
|
|
|
Gentoo Forums Feedback
