How to spot http flood on server

Post Reply
User avatar
isscbta
Posts: 68
Joined: Mon Jul 19, 2021 1:41 am

Possible scenarios:
1. When the site is attacked from an IP address
2. When the site is attacked from multiple IP addresses

1. When the site is attacked from an IP address:
In case we receive a ticket informing us that some site works slowly, or gets an error 500 or similar - that could indicate that server is maybe under attack. So here we will describe steps on how to check and prevent this:

Go to the "SERVER" page and click "show: CPU / MEM / NET / DISK":

2.png
2.png (45.98 KiB)

Now click on "WEB" :

3.png
3.png (46.09 KiB)

Here you can see that almost all slots are filled with requests (W as waiting to be processed)

Scroll down a bit:

4.png
4.png (175.94 KiB)

We can see here that all waiting slots are filled from the same IP address.
In this example we also see that the bot attacked phpMyAdmin, probably trying to brute force a password.

Now we are going to block him.

Go to "FIREWALL" and then "ADD RULE"

5.png
5.png (45.58 KiB)

Now enter his IP address and enter port "80,443" in order to block him from both HTTP and HTTPS ports:

6.png
6.png (36.03 KiB)

That's it.

Just in case we want to brake his current HTTP/HTTPS (keep-alive) connections, we can also restart nginx:

7.png
7.png (88.65 KiB)

2. When the site is attacked from multiple IP addresses:
At first place as a quick-fix for this problem, we are going to suspend website domain in order to prevent attack from slowing-down whole server and all others sites on it.

suspend2.png
suspend2.png (58.65 KiB)

Obviously, this is only a short-term fix. If the attacks continue, you'll need to take some additional steps, such as adding the website behind CloudFlare.

Tags:
Post Reply