Hundreds of connections to a server, just from opening 10+ tabs in IE8?

ip-blocking

Solution 1:

gbroiles already has a good answer; I'm adding an answer as this is too long to fit into a comment.

All browsers open multiple connections in order to download the site faster. Each image, CSS file, Javascript file etc linked to in the HTML must be downloaded, and this is done in parallel to speed things up. You can see how many connections each browser opens at Browserscope.org's "Network" tab.

There are 2 more things to notice:

  • The trend is towards never browsers opening more connections per host.
  • If the connection is downgraded to HTTP 1.0 (fx by a intermediary proxy), then most browsers will open additional connections. (The best link I could quickly find is here; Steve Souders writes more about this in one of his books.)

In effect, if this user is opening 10+ tabs to a single small VPS server, then he is hoarding resources. I think it's perfectly sensible to disallow this. The user may get grumpy, but he only has one set of eyes, so he really can't claim to interact with all 10+ pages at the same time. If the server is a big, beefy machine with low load, then it's another matter of course.

Some of the things you can do are:

  • Look at your HTTP Keepalive setting, and either turn it off, or set it to a low timeout value (fx 5 seconds). This may not be enough, but at least you won't have many lingering open connections.
  • Host static content (logos, CSS, JS, images used for layout) on a Content Delivery Network (CDN). Small CDN accounts are cheap now, and you would direct all HTTP request for static content away from your own server.
  • Verify that your server is sending proper caching headers for static content. As a minimum, you don't want users to download the same logo, CSS and more over and over again. See this excellent tutorial to caching, and test your headers at webpagetest.org or REDbot.
  • Figure out exactly which system blacklisted your customer. If it was an anti-DDoS service from your ISP, then perhaps you could ask to be excluded from the anti-DDoS protection (but think about this first of course). If it was an on-host software firewall, then you could ask for the limits to be raised.

In short, you should be able to fix this together with your hosting partner -- but first think about the potential consequences first.

Solution 2:

It sounds like your host has some sort of anti-DOS configuration setup and your customer is triggering it by opening many tabs simultaneously. I'm not surprised if a single tab accessing your system is opening several simultaneous HTTP sessions to download files in parallel - so if your customer has 10 tabs opening at once, as newer browsers offer to do, then it's not surprising to hear that your customer is opening 10 x several HTTP sessions to your server.

IE 8 opens up to 6 concurrent sessions to the same hostname.

If you have several hostnames set up as CNAMEs pointing to the same IP (some people like to set up, say, "images.example.com", "css.example.com" and "forums.example.com", all pointing to the same actual host), you may be making the problem worse by making it hard for IE to see that they are all the same machine - apparently the comparison is done by host NAME, not IP.

Your customer could probably reduce the likelihood of this occurring by using a different browser, using a local cache, modifying his IE installation to use fewer simultaneous sessions, or by not loading so many tabs at once.

You could ask your host to increase the number of allowable connections to your webserver, shrink the time window for detecting overusage, or whitelist your customer(s) if your customer(s) use predictable IP addresses.

If your host's firewall is excluding based upon the number of simultaneous open connections, you might be able to improve the situation by making sure your configuration is optimized - e.g., minimizing unnecessary queries, looking at caching with varnish or some other sort of accelerator, turning on compression, making sure you're allowing HTTP persistent connections.

This sounds like a tough problem to solve if you can't control the system making the connections or the system limiting the connections.

Related

Can a service spawn a login session? Build server woes
WebSVN accept untrusted HTTPS certificate
How do you specify static mount points for removable usb drives?
Can I send HTML mails in Outlook Web Access?
Is it possible to close a socket with a shell command?
Adding security to privoxy
Should I run DBCC checkdb before full backups? Or after?
Can someone explain how NX works?
MYSQL remote read only access, how do I set it up?
Reboot after power failure for Mac running Ubuntu (server)
Is it possible to specify custom error log format in nginx?
Akamai NetStorage vs. Akamai edge service