How to spot http flood on server

Post Reply
User avatar
isscbta
Posts: 39
Joined: Mon Jul 19, 2021 1:41 am

In case we receive a ticket informing us that some site works slowly, or gets an error 500 or similar - that could indicate that server is maybe under attack. So here we will describe steps how to check and prevent this:

Go to the "SERVER" page and click "show: CPU / MEM / NET / DISK":

2.png
2.png (45.98 KiB) Viewed 169 times

Now click on "WEB" :

3.png
3.png (46.09 KiB) Viewed 169 times

Here you can see that almost all slots are filled with requests (W as waiting to be processed)

Scroll down a bit:

4.png
4.png (175.94 KiB) Viewed 169 times

We can see here that all waiting slots are filled from the same IP address.
In this example we also see that the bot attacked phpMyAdmin, probably trying to brute force a password.

Now we are going to block him.

Go to "FIREWALL" and then "ADD RULE"

5.png
5.png (45.58 KiB) Viewed 169 times

Now enter his IP address and enter port "80,443" in order to block him from both HTTP and HTTPS ports:

6.png
6.png (36.03 KiB) Viewed 169 times

That's it.

Just in case we want to brake his current HTTP/HTTPS (keep-alive) connections, we can also restart nginx:

7.png
7.png (88.65 KiB) Viewed 169 times

Tags:
Post Reply