0

I need some direction in figuring out what's going on here.

I have an EC2 instance that is running a WordPress site. Inbound traffic on the instance is spiking to alarming levels which are not consistent with the usage of the website. Outbound traffic is relatively normal.

This slows down the website and

Apache logs do not reflect the traffic that is hitting the server. There is nothing out of the ordinary in the logs, except for many 'Internal dummy connections' which are spawned by the server, and which, according to my reading' are nothing to worry about.

WordFence (WordPress security plugin) shows nothing out of the ordinary either. So I'm doubtful that it is an attack of some sort.

What steps can I take to learn the source and content of the traffic that is hitting my EC2 instance?

(Sorry if this is a vague question. I'm not an EC2 expert, and this is all the information I have).

UPDATE: Current suspicion is that it is a DOS attack.

Ron
  • 157
  • 1
  • 9
  • Is it with perfect regularity? WordPress does have its "cron" script, or something I think it's called. – Paul Jun 28 '21 at 17:31
  • @Paul. It's consistent, but not regular, not predictable. And WordPress crons would register as an inbound network packet, would it? – Ron Jun 28 '21 at 19:46
  • When I've configured nginx to only permit what is necessary for WordPress to run, I have to `allow ;` or `wp-cron.php` won't run fills `error.log`, IIRC. I just searched DDG for `wp-cron.php` and this to result article explains it more than I knew before searching. https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30 – Paul Jun 28 '21 at 19:53
  • 1
    Thanks @Paul, However, I it's not wp-cron as calls to wp-cron.php are clearly represented in the logs and they are not excessive. – Ron Jun 29 '21 at 18:53

2 Answers2

1

To make your life easier you would need to use a Monitoring Tool, Amazon offers CloudWatch which is a component of AWS that provides real time monitoring of AWS resources running on Amazon infrastructure it collect metrics and log. Try to go CloudWatch > Metrics > EC2 > Per Instance Metrics then try to filter by Metrics Name and see if you can figure out what has happened on your instance.

Hope this useful. Regards!

rriovall
  • 202
  • 1
  • 3
  • Thanks. CloudWatch is already being used. That's how I know about the excessive inbound traffic in the first place. What I'm missing now is a way to inspect that traffic. – Ron Jun 29 '21 at 18:51
1

For analyzing your inbound traffic, please check the following link:

https://docs.aws.amazon.com/wellarchitected/latest/financial-services-industry-lens/monitor-vpc-flow-logs-for-abnormal-traffic-patterns.html

If you want to be better protected against DDoS attacks you may try to use the AWS Shield service. However, the AWS Shield in advanced option is a very expensive service, but the AWS Shield Standard option could be your first choice to protect the EC2 instance. You didn't mention at what layer the attack had in place. The layer 7 protection = AWS Shield Advanced.

John Malloc
  • 51
  • 1