0

My webserver (Debian Bullseye, Apache2) is serving about 50 (small) websites spread over 16 ip addresses. I just noticed that on one of the ip addresses, since the beginning of this month traffic has gone up from an average of 3k/s to an average of 500k/s.

enter image description here

This ip address serves about 8 different domains. Checking the apache logs of these domains, I don't see anything out of the ordinary.

How can I check what is causing this traffic? I tried tcpdump:

tcpdump -i eno1 -v src <ip address>

but don't really understand its ouput so what could be causing the high traffic.

Thanks in advance for your help!

Zippy1970
  • 247
  • 1
  • 4
  • 12

1 Answers1

0

Actually, the tcpdump method did help me to determine which domain was causing the problem. This specific domain is a WordPress site of which the "reactions" page had been spammed with over 2,000 messages. This page was requested at least a few times per minute (by the same and other spambots) so this was causing the high traffic. I've deleted that page from the website and traffic is back to normal.

Zippy1970
  • 247
  • 1
  • 4
  • 12
  • Now you should spend some time thinking about why you couldn't see that from your webserver logs which are there specifically for this purpose. – symcbean Jun 20 '23 at 12:36