Massive Request from certain IPs, what is this?

JRTech

Hello,

Can someone explain to me, what happens with my server. In recent days, I've got massive request from certain IPs that causes my Load Average increase drastically (4.XX for 1 CPU) I am using Vultr $5/m)

This is access log file:

http://i.imgur.com/0fhOLID.png

I tried to block all IPs using UFW

ufw deny from 52.220.xx.xx
ufw deny from 52.221.xx.xx
ufw deny from 13.228.xx.xx
ufw deny from 13.228.xx.xx
etc...

But then I cannot access my site.

I am using Cloudflare free plan. If I activate "I am under attack" option, those requests are gone

Are the IPs belongs to Cloudflare network? I did a whois IP, and the result says that IPs are belongs to Amazon.

http://i.imgur.com/VP6eSO9.png

http://i.imgur.com/UwXhtsX.png

What am I supposed to do now?

dedicados

why you dont add a simple firewall like CSF, if they do too many request just get blocked.

and you will not see them again.

Francisco

Are they hitting a wp-login.php?

Francisco

raindog308

Someone might be...

• attacking your site
• attacking the IP because they didn't like the previous user of that IP
• misdirecting their lazer

But as @dedicados says, an active firewall like CSF is a good recommendation. CSF will only block abusive IPs.

24x7servermanagement

Your website/server is under attack and you should block those IP's in the firewall to avoid downtime.

sin

What webserver are you using? Most webservers will allow you to rate limit requests. Cloudflare has a list of the IPv4 and IPv6 that they use so just don't block those.

JRTech

Thanks guys, I install CSF and block those IPs.

The problem is solved.

My server is back to normal.

Makenai

Since those seem like AWS IPs I strongly suggest that you report them to AWS. The information on how to do that is available in the IP whois.
whois 52.220.xx.xx

Account responsible for those IPs will receive EC2 abuse report and will have to explain itself to AWS support.

Help others save the headache you had )

tux

Take a snapshot and then recreate server with different IP using that snapshot.

qtwrk

@tux said:
Take a snapshot and then recreate server with different IP using that snapshot.

it's one way to go , but be honest it's not really a good idea , you can't just hide and run away every time you got a problem.

jar

@qtwrk said:

@tux said:
Take a snapshot and then recreate server with different IP using that snapshot.

it's one way to go , but be honest it's not really a good idea , you can't just hide and run away every time you got a problem.

You're always supposed to blame the provider and change to a new provider, then use the fact that the requests stop showing up in the logs at the new provider as confirmation that your previous provider was shit.

Repeat monthly.

qtwrk

@jarland said:

@qtwrk said:

@tux said:
Take a snapshot and then recreate server with different IP using that snapshot.

it's one way to go , but be honest it's not really a good idea , you can't just hide and run away every time you got a problem.

You're always supposed to blame the provider and change to a new provider, then use the fact that the requests stop showing up in the logs at the new provider as confirmation that your previous provider was shit.

Repeat monthly.

I'm sorry, did i do anything wrong here? What's all this about?
Did i just offend you or what?

jar

qtwrk said: I'm sorry, did i do anything wrong here? What's all this about? Did i just offend you or what?

You did just now, actually. I'm extremely offended by your refusal to laugh at my joke.

qtwrk

@jarland said:

qtwrk said: I'm sorry, did i do anything wrong here? What's all this about? Did i just offend you or what?

You did just now, actually. I'm extremely offended by your refusal to laugh at my joke.

ha, ha , ha , that's really nice one

-_- !!!!!