Server hammered with HTTP requests

adeyjones

• May 10, 2022 15:16

Hi guys Have got a server that hosts around 60 websites. The average load has been absolutely hammered today with HTTP requests but they all seem to be for one particular site, I have been checking the raw apache log throughout the day and blocking the various IP addresses but each time I block one, a new one appears. I trace them and they are from all different locations too, starting with USA, then Sweden, Netherlands etc.. Here is a snippet from the apache log for this 1 site, and the log currently contains 70,000+ lines: 84.17.46.229 - - [10/May/2022:19:33:13 +0000] "POST /page/3/ HTTP/1.1" 200 15246 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 GTB5" 84.17.46.229 - - [10/May/2022:19:33:13 +0000] "POST /page/3/ HTTP/1.1" 200 15249 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.7.62 Version/11.01" 84.17.46.229 - - [10/May/2022:19:33:13 +0000] "POST /page/3/ HTTP/1.1" 200 15248 "-" "Mozilla/4.8 [en] (Windows NT 5.1; U)" 84.17.46.229 - - [10/May/2022:19:33:13 +0000] "POST /page/3/ HTTP/1.1" 200 15265 "-" "Opera/9.80 (Windows NT 5.2; U; en) Presto/2.2.15 Version/10.10" 84.17.46.229 - - [10/May/2022:19:33:13 +0000] "POST /page/3/ HTTP/1.1" 200 15248 "-" "SonyEricssonK610i/R1CB Browser/NetFront/3.3 Profile/MIDP-2.0 Configuration/CLDC-1.1" 84.17.46.229 - - [10/May/2022:19:33:13 +0000] "POST /page/3/ HTTP/1.1" 200 15250 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/125.2 (KHTML, like Gecko) Safari/125.8" 84.17.46.229 - - [10/May/2022:19:33:14 +0000] "POST /page/3/ HTTP/1.1" 200 15283 "-" "Mozilla/5.0 (Linux; U; Android 1.5; en-us; T-Mobile G1 Build/CRB43) AppleWebKit/528.5 (KHTML, like Gecko) Version/3.1.2 Mobile Safari 525.20.1" 84.17.46.229 - - [10/May/2022:19:33:14 +0000] "POST /page/3/ HTTP/1.1" 200 15249 "-" "Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.30-7.dmz.1-liquorix-686; X11) KHTML/3.5.10 (like Gecko) (Debian package 4:3.5.10.dfsg.1-1 b1)" 84.17.46.229 - - [10/May/2022:19:33:14 +0000] "POST /page/3/ HTTP/1.1" 200 15255 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_2; en-us) AppleWebKit/531.21.8 (KHTML, like Gecko) Version/4.0.4 Safari/531.21.10" 84.17.46.229 - - [10/May/2022:19:33:14 +0000] "POST /page/3/ HTTP/1.1" 200 167 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8" 84.17.46.229 - - [10/May/2022:19:33:14 +0000] "POST /page/3/ HTTP/1.1" 200 15231 "-" "msnbot/1.0 ( robot@gais.cs.ccu.edu.tw;

• 

  cPRex Jurassic Moderator

  • May 10, 2022 20:31

  Hey there! That sounds like a classic DoS attack. If you want to try and fix it on the server-side, I'd recommend the Apache Evasive module:

  0
• 

  adeyjones

  • May 10, 2022 20:37

  Thanks @cPRex - i'll try the Evasive. Unfortunately I don't have any other support, it's an AWS EC2 instance so i'm on my own with this one.

  0
• 

  adeyjones

  • May 16, 2022 11:35

  I have had the Evasive module installed since this thread, unfortunately today this seems to have re-occured, the load on the server as I type is currently "102.46 89.32 64.66". I have run netstat -tn 2>/dev/null | grep ":80" which I read somewhere but this doesn't really help identify anything.

  0
• 

  adeyjones

  • May 16, 2022 11:46

  Have just amended the config for the mod evasive to change site count from 100 to 50, restarted apache, load has gone down for now but will monitor to see if this is only due to the restart or if it is a more long term solution.

  0
• 

  adeyjones

  • May 16, 2022 20:44

  Unfortunately the issue is still there, load is going up as I type, attached it from process manager - any further ideas?

  0
• 

  cPRex Jurassic Moderator

  • May 17, 2022 13:57

  With so many request happening you'll want to reach out to your hosting provider or datacenter and see if they can provide an external solution to help with this traffic. With the load so high, your server isn't going to be able to handle that traffic.

  0
• 

  adeyjones

  • May 18, 2022 19:24

  @cPRex - Thanks, unfortuately I don't have a hosting provider, this is an EC2 instance by AWS so i'm on my own. I have been advised to install mod_dumpio so that I can see the headers from the POST requests, but where do I change the config of it to change the log level and where do I also see the logs? Thanks

  0
• 

  cPRex Jurassic Moderator

  • May 18, 2022 20:41

  cPanel does have that module available as part of EasyApache so you can install that through WHM >> EasyApache 4. The various configuration options are listed here: Mitigation techniques - AWS Best Practices for DDoS Resiliency

  0
• 

  adeyjones

  • May 19, 2022 08:12

  Thanks again - I have looked at AWS Shield from your link and it states that it is automatically enabled with all EC2 instances so I already have this although the dashboard has identified 0 events in the last year.

  0

Please sign in to leave a comment.