0

TL;DR, Why am I getting hit with so much traffic that is not directed towards my actual website? How do I fix it?

I have been diagnosing a problem for ~6 hours now, that I initially thought was a DDOS attack, but it turned out to be related to this:

https://askubuntu.com/questions/802222/random-urls-in-apache-access-log

Now, I have created a default site, and it has blocked nearly everything, but traffic is coming back through and it's chewing into my Linode's limit, as in, 15 GB in that last 12 hours, with no reported users on Google Analytics.

I have searched everywhere for a solution, and have taken measures to prevent DDOS such as module_evasive, but now this traffic is returning and it looks like for some reason my server is receiving requests and getting hit for so much data.

Last chunk of /html/site/logs/access.log when the data and cpu started rising again: https://pastebin.com/wskzGNi9

Server Graphs

d4rk s1gm
  • 1
  • 1
    Looks like majority of traffic is originating from `162.193.166.164`. Have you tried blocking this IP address? And/or using Cloudflare? – Paritosh Nov 03 '17 at 02:44
  • I am rejecting it, now, and it is still coming through. I have not tried cloud flare yet, doing what I did above stopped a majority of the traffic. – d4rk s1gm Nov 03 '17 at 04:38
  • Since how long do you have your website? If new, you may have got an IP address that was previously used by a website under attack – Patrick Mevzek Nov 05 '17 at 18:45
  • It did not start until several days after having the IP. The logs I posted don't make much sense. I have since wrote a script to drop in iptables any ip address that seems to be performing malicious activities. I went from 4Mb/s down to now 10 kb/s – d4rk s1gm Nov 06 '17 at 19:43

0 Answers0