New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
HTTP Flooding?
My site started to lag lately, don't know why but have been running a forum on it and the number of users online rapidly increases to 900Members and port 80 ceases to respond.
I am running nginx-proxy with apache and php-fpm on cloudflare dns.
This is my netstat:
[root@web sysconfig]# netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 web.mysite.com:http 103.22.201.70:12379 TIME_WAIT tcp 0 0 web.mysite.com:http 103.22.201.68:21832 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.225.41:46239 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:51141 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:52231 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:50136 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-48-216.clo:39040 ESTABLISHED tcp 0 0 web.mysite.com:http 103.22.201.68:46699 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:52186 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.231.29:53745 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.222.30:38602 ESTABLISHED tcp 0 0 localhost.localdomain:51156 localhost.localdomain:30080 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:50231 TIME_WAIT tcp 0 0 localhost.localdomain:52231 localhost.localdomain:30080 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-51-66.clou:11038 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.225.59:23493 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:50216 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.222.30:34783 ESTABLISHED tcp 0 0 localhost.localdomain:30080 localhost.localdomain:52527 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-51-67.clou:59874 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.222.28:34116 TIME_WAIT tcp 0 0 web.mysite.com:http 141.101.81.127:43813 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.225.73:43925 TIME_WAIT tcp 0 0 localhost.localdomain:57799 localhost.localdomain:56253 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.231.66:40677 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-51-66.clou:24577 TIME_WAIT tcp 0 0 localhost.localdomain:56268 localhost.localdomain:57799 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-51-65.clou:10011 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:52950 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:50152 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-51-67.clou:29005 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.231.66:62331 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.222.30:28278 ESTABLISHED tcp 0 0 localhost.localdomain:55581 localhost.localdomain:57799 TIME_WAIT tcp 0 0 web.mysite.com:http 108.162.222.30:16163 ESTABLISHED tcp 0 0 web.mysite.com:http 108.162.231.30:63017 TIME_WAIT tcp 0 0 web.mysite.com:http cf-173-245-62-67.clou:38410 TIME_WAIT tcp 0 0 web.mysite.com:http 141.101.80.127:17771 TIME_WAIT tcp 0 0 localhost.localdomain:30080 localhost.localdomain:50340 TIME_WAIT
This is a bit more longer with similar pattern.
and when I look at htop, I see numerous "php-fpm: pool" and "nginx worker process" being created.
Am I being attacked or did I configure my webserver incorrectly?
Thanks again
Comments
Check your http logs, access_log in order to understand if you are under http flood / an aggressive search engine bot is crawling.
here's the access log: http://pastiebin.com/51f8e9a74be00
Probably cloudflare lagging since those logs show ip's from cloudflare.
But why am I not able to access the site via it's real ip? I get a time out, and the CPU and memory are hogging at the moment.
In order to see real visitor IPs instead of cloudflare you shoud use cloudflare module on apache/nginx. It seems like you are under http flood attack.Just enable I'm under attack mode on cloudflare in order to protect http flood.
don't have that Panic button anymore, my forum recognizes the IP correctly, so I just dropped the idea of install that module.
https://support.cloudflare.com/entries/22051973-Does-CloudFlare-have-an-IP-module-for-Nginx-
Then also enable limit_request in nginx to x number of php requests per minute per IP (make sure php only in your nginx location not all requests). I usually do 30 per minute.
Try running this command and see if there a high number of connections from the same IPs: netstat -nA inet |awk '/^[ut]/{print $5}'|cut -d: -f1 |sort |uniq -c |sort -n
Of course, if you're running Cloudflare that's what you'd expect to see on Cloudflare IPs.
@bdtech will look into it
@BrianHarrison
Switched CloudFlare mode to High