HTTP Flooding?

iBot

My site started to lag lately, don't know why but have been running a forum on it and the number of users online rapidly increases to 900Members and port 80 ceases to respond.

I am running nginx-proxy with apache and php-fpm on cloudflare dns.

This is my netstat:

[root@web sysconfig]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0         web.mysite.com:http 103.22.201.70:12379         TIME_WAIT
tcp        0      0         web.mysite.com:http 103.22.201.68:21832         TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.225.41:46239        TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:51141 TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:52231 TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:50136 TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-48-216.clo:39040 ESTABLISHED
tcp        0      0         web.mysite.com:http 103.22.201.68:46699         TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:52186 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.231.29:53745        TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.222.30:38602        ESTABLISHED
tcp        0      0 localhost.localdomain:51156 localhost.localdomain:30080 TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:50231 TIME_WAIT
tcp        0      0 localhost.localdomain:52231 localhost.localdomain:30080 TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-51-66.clou:11038 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.225.59:23493        TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:50216 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.222.30:34783        ESTABLISHED
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:52527 TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-51-67.clou:59874 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.222.28:34116        TIME_WAIT
tcp        0      0         web.mysite.com:http 141.101.81.127:43813        TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.225.73:43925        TIME_WAIT
tcp        0      0 localhost.localdomain:57799 localhost.localdomain:56253 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.231.66:40677        TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-51-66.clou:24577 TIME_WAIT
tcp        0      0 localhost.localdomain:56268 localhost.localdomain:57799 TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-51-65.clou:10011 TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:52950 TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:50152 TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-51-67.clou:29005 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.231.66:62331        TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.222.30:28278        ESTABLISHED
tcp        0      0 localhost.localdomain:55581 localhost.localdomain:57799 TIME_WAIT
tcp        0      0         web.mysite.com:http 108.162.222.30:16163        ESTABLISHED
tcp        0      0         web.mysite.com:http 108.162.231.30:63017        TIME_WAIT
tcp        0      0         web.mysite.com:http cf-173-245-62-67.clou:38410 TIME_WAIT
tcp        0      0         web.mysite.com:http 141.101.80.127:17771        TIME_WAIT
tcp        0      0 localhost.localdomain:30080 localhost.localdomain:50340 TIME_WAIT

This is a bit more longer with similar pattern.

and when I look at htop, I see numerous "php-fpm: pool" and "nginx worker process" being created.

Am I being attacked or did I configure my webserver incorrectly?

Thanks again

EarthVPN

Check your http logs, access_log in order to understand if you are under http flood / an aggressive search engine bot is crawling.

iBot

here's the access log: http://pastiebin.com/51f8e9a74be00

FRCorey

Probably cloudflare lagging since those logs show ip's from cloudflare.

iBot

@FRCorey said:
Probably cloudflare lagging since those logs show ip's from cloudflare.

But why am I not able to access the site via it's real ip? I get a time out, and the CPU and memory are hogging at the moment.

EarthVPN

In order to see real visitor IPs instead of cloudflare you shoud use cloudflare module on apache/nginx. It seems like you are under http flood attack.Just enable I'm under attack mode on cloudflare in order to protect http flood.

iBot

don't have that Panic button anymore, my forum recognizes the IP correctly, so I just dropped the idea of install that module.

bdtech

https://support.cloudflare.com/entries/22051973-Does-CloudFlare-have-an-IP-module-for-Nginx-

Then also enable limit_request in nginx to x number of php requests per minute per IP (make sure php only in your nginx location not all requests). I usually do 30 per minute.

BrianHarrison

Try running this command and see if there a high number of connections from the same IPs: netstat -nA inet |awk '/^[ut]/{print $5}'|cut -d: -f1 |sort |uniq -c |sort -n

Of course, if you're running Cloudflare that's what you'd expect to see on Cloudflare IPs.

iBot

@bdtech will look into it

@BrianHarrison

  1 103.22.201.101
  1 108.162.210.243
  1 108.162.212.161
  1 108.162.212.207
  1 108.162.215.229
  1 108.162.215.9
  1 108.162.216.29
  1 108.162.219.219
  1 108.162.222.19
  1 108.162.222.20
  1 108.162.222.77
  1 108.162.225.19
  1 108.162.225.31
  1 108.162.225.53
  1 108.162.225.67
  1 108.162.229.19
  1 108.162.229.20
  1 108.162.229.59
  1 108.162.229.61
  1 108.162.231.17
  1 108.162.231.77
  1 108.162.237.130
  1 141.101.80.128
  1 141.101.81.222
  1 141.101.98.160
  1 141.101.98.182
  1 141.101.98.203
  1 173.245.50.65
  1 173.245.50.67
  1 173.245.51.61
  1 173.245.51.71
  1 173.245.52.217
  1 173.245.52.219
  1 173.245.52.225
  1 173.245.56.132
  1 173.245.56.136
  1 173.245.56.154
  1 173.245.56.159
  1 178.154.243.103
  1 66.249.73.154
  2 103.22.201.69
  2 108.162.210.190
  2 108.162.210.192
  2 108.162.212.152
  2 108.162.214.41
  2 108.162.215.235
  2 108.162.215.237
  2 108.162.215.243
  2 108.162.222.31
  2 108.162.222.41
  2 108.162.225.33
  2 108.162.231.44
  2 108.162.231.71
  2 108.162.231.79
  2 141.101.80.222
  2 141.101.98.120
  2 141.101.98.208
  2 141.101.99.210
  2 173.245.48.24
  2 173.245.56.133
  2 173.245.56.140
  2 173.245.56.156
  2 173.245.56.173
  2 173.245.56.175
  3 108.162.212.144
  3 108.162.212.213
  3 108.162.221.78
  3 108.162.222.56
  3 108.162.231.16
  3 108.162.231.61
  3 108.162.249.177
  3 117.200.132.119
  3 141.101.99.220
  3 173.245.51.78
  3 173.245.56.137
  3 173.245.56.148
  3 173.245.56.176
  4 108.162.210.199
  4 108.162.210.249
  4 108.162.215.224
  4 108.162.222.53
  4 108.162.225.29
  4 108.162.225.65
  4 108.162.225.72
  4 108.162.225.78
  4 108.162.229.66
  4 108.162.231.53
  4 108.162.231.66
  4 141.101.98.146
  4 141.101.98.15
  4 173.245.48.215
  4 173.245.48.225
  4 173.245.48.246
  4 173.245.49.72
  4 173.245.52.233
  4 173.245.62.67
  5 103.22.201.74
  5 108.162.210.193
  5 108.162.210.202
  5 108.162.219.235
  5 108.162.221.67
  5 108.162.225.45
  5 108.162.225.71
  5 108.162.225.79
  5 108.162.231.41
  5 141.101.98.170
  5 173.245.49.60
  5 173.245.51.72
  5 173.245.52.220
  5 173.245.52.243
  5 173.245.56.139
  6 108.162.212.148
  6 108.162.212.150
  6 108.162.215.234
  6 108.162.215.42
  6 108.162.219.225
  6 108.162.222.28
  6 108.162.229.16
  6 108.162.229.52
  6 141.101.88.133
  6 141.101.98.201
  6 141.101.98.205
  6 173.245.48.243
  6 173.245.48.245
  6 173.245.52.242
  6 173.245.62.66
  6 80.84.55.183
  7 103.22.201.102
  7 108.162.215.217
  7 108.162.219.234
  7 108.162.222.17
  7 108.162.222.61
  7 108.162.231.72
  7 108.162.241.219
  7 141.101.92.124
  7 141.101.98.189
  7 173.245.48.228
  8 103.22.201.103
  8 108.162.212.157
  8 108.162.212.158
  8 108.162.212.195
  8 108.162.215.6
  8 108.162.225.55
  8 108.162.231.20
  8 141.101.98.148
  8 173.245.48.242
  9 103.22.201.76
  9 103.22.201.90
  9 108.162.210.210
  9 108.162.212.164
  9 108.162.215.215
  9 108.162.215.226
  9 108.162.215.45
  9 108.162.219.25
  9 141.101.98.156
  9 141.101.98.179
  9 173.245.49.73
 10 108.162.212.149
 10 108.162.212.156
 10 108.162.215.236
 10 108.162.215.5
 10 108.162.231.78
 10 141.101.85.219
 10 141.101.98.172
 10 173.245.56.161
 11 108.162.212.201
 11 108.162.215.41
 11 108.162.225.57
 11 108.162.231.30
 11 108.162.231.73
 11 141.101.98.127
 11 173.245.48.233
 11 173.245.51.77
 11 173.245.56.166
 11 173.245.62.78
 12 108.162.210.196
 12 108.162.215.40
 12 108.162.219.6
 12 108.162.222.29
 12 108.162.222.78
 12 108.162.225.17
 12 108.162.231.60
 12 141.101.98.25
 13 103.22.201.87
 13 108.162.215.44
 13 108.162.231.52
 13 108.162.231.58
 13 141.101.98.151
 13 173.245.48.220
 13 173.245.48.237
 14 108.162.210.204
 14 108.162.225.77
 14 108.162.231.21
 15 108.162.215.22
 15 108.162.215.245
 15 173.245.56.141
 16 108.162.212.154
 16 108.162.215.220
 16 108.162.218.29
 16 108.162.222.42
 16 108.162.231.55
 16 199.27.128.223
 17 108.162.215.242
 17 108.162.225.66
 18 103.22.201.80
 18 108.162.210.206
 18 108.162.215.228
 18 108.162.215.8
 19 103.22.201.85
 19 173.245.48.226
 20 108.162.214.25
 20 173.245.51.65
 21 103.22.201.97
 21 173.245.48.236
 21 173.245.51.73
 22 108.162.215.24
 22 108.162.221.30
 22 173.245.51.66
 24 103.22.201.91
 24 108.162.222.79
 25 103.22.201.96
 25 108.162.214.30
 25 108.162.215.23
 27 108.162.231.32
 27 173.245.48.235
 28 173.245.48.216
 29 108.162.215.26
 31 108.162.222.44
 35 108.162.222.67
 36 108.162.215.247
 2058 127.0.0.1

Switched CloudFlare mode to High