New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Massive Request from certain IPs, what is this?
Hello,
Can someone explain to me, what happens with my server. In recent days, I've got massive request from certain IPs that causes my Load Average increase drastically (4.XX for 1 CPU) I am using Vultr $5/m)
This is access log file:
http://i.imgur.com/0fhOLID.png
I tried to block all IPs using UFW
ufw deny from 52.220.xx.xx
ufw deny from 52.221.xx.xx
ufw deny from 13.228.xx.xx
ufw deny from 13.228.xx.xx
etc...
But then I cannot access my site.
I am using Cloudflare free plan. If I activate "I am under attack" option, those requests are gone
Are the IPs belongs to Cloudflare network? I did a whois IP, and the result says that IPs are belongs to Amazon.
http://i.imgur.com/VP6eSO9.png
http://i.imgur.com/UwXhtsX.png
What am I supposed to do now?
Comments
why you dont add a simple firewall like CSF, if they do too many request just get blocked.
and you will not see them again.
Are they hitting a wp-login.php?
Francisco
Someone might be...
But as @dedicados says, an active firewall like CSF is a good recommendation. CSF will only block abusive IPs.
Your website/server is under attack and you should block those IP's in the firewall to avoid downtime.
What webserver are you using? Most webservers will allow you to rate limit requests. Cloudflare has a list of the IPv4 and IPv6 that they use so just don't block those.
Thanks guys, I install CSF and block those IPs.
The problem is solved.
My server is back to normal.
Since those seem like AWS IPs I strongly suggest that you report them to AWS. The information on how to do that is available in the IP whois.
whois 52.220.xx.xx
Account responsible for those IPs will receive EC2 abuse report and will have to explain itself to AWS support.
Help others save the headache you had )
Take a snapshot and then recreate server with different IP using that snapshot.
it's one way to go , but be honest it's not really a good idea , you can't just hide and run away every time you got a problem.
You're always supposed to blame the provider and change to a new provider, then use the fact that the requests stop showing up in the logs at the new provider as confirmation that your previous provider was shit.
Repeat monthly.
I'm sorry, did i do anything wrong here? What's all this about?
Did i just offend you or what?
You did just now, actually. I'm extremely offended by your refusal to laugh at my joke.
ha, ha , ha , that's really nice one
-_- !!!!!