Hackers scanning domain causing latency

Question

I have a production service for a flask api used by an app hosted on amazon elastic-beanstalk. Every few hours, a hacker scan the address for vulnerable routes like /phpmyadmin. The api only use our own code, so it is unlikely they will gain access. But the problem is it's hosted on a micro-instance because we normally barely get more than 1000 requests/hour, but this scanning send over hundreds of requests in minutes causing a short denial of service for our users.

So I'm looking for solutions and so far I've come with:

• Set up elastic-beanstalk to spawn a new instance with scaling on network activity, currently only spawn on cpu usage. Would incur costs, not good.
• Block the ips, but the ip address always change.
• Cache the ip of 404 request and block after like 5 attempt in flask handler.
• Optimized the flask error handler, did way too much like sending error logs to loggly, saving them to the database and sending an email, but the problem still stands.

None of these solutions seems optimal to me, anyone have experience dealing with a problem like this ?

Answer 1

I'm sorry to say that you can't really do too much about this. I don't use elastic beanstalk myself but I have used fail2ban in the past which blocks IP's spam the server.

Even if you set up something to ban after a few 404's flask will still be handling the request and have the same effect. A quick google shows AWS Shield as AWS's DDOS protection. Maybe this would help?

To summarise, you can't stop the requests. If you want to avoid downtime you will need more hardware to deal with the requests or try DDOS protection from AWS, Cloudflare etc.