Strange traffic to Google Cloud VPS

Question

I have one small project running on Google Cloud. And during last couple of weeks I notice serious unexpected traffic to it and (a bit surprisingly in 2020-ths) additional bills for it. The volume of traffic is like

This is November. I am not seasoned in administration and Unixes so don't know this area and the site is not very important. What I tried:

iftop Apache's access.log What it can be? I understand that hackers can try to find vulnerabilities or guess password. But this doesn't look even as this. What is this? Is there any more or less simple way to block it?

Site's IP is 35.185.230.240

Someone is trying to use or using your web server as a proxy. Is it configured that way? — Esa Jokinen, Nov 10 '20 at 12:20
@EsaJokinen, no, only web. And whether they succeed? I think no because of answer 400 — Mikhail M, Nov 10 '20 at 12:57

score 2 · Answer 1 · answered Nov 10 '20 at 18:59

Yes, it sounds like hackers trying to scan your application looking for vulnerabilities.

It doesn't mean it's a direct attack. There are many bot and scripts available on the Internet that can scan a range of IPs, domains, and the like. So, your server could just be in that range.

The most important is securing your application. If it's running on a VM, secure your VM by applying hardening techniques and patch management.

There are also additional services that can be used at the ISP border for filtering malicious traffic, like Cloud Armor (on GCP), AWS WAF of even Cloudflare.

Hope that helps

Strange traffic to Google Cloud VPS

1 Answers1