0

My nginx+apache+php server on ubuntu is under attack from a single IP address which causes apache to run as many processes as possible, which causes the server to crash. The ipi is single, and the nginx antidos tool blocks it, but just one request is enough, apparently, to bring my server down. POST request

Simultaneous number of active connections from Localhost

How can I overcome this attack? Is there any way to limit the number of apach connections a user can make? but the problem is that they are listed as connections originating from 127.0.0.1 My server is not compromised. I installed cloudflare and set it up. But that doesn't help in any way, because all a person needs to do is basically make one heavy request to a resource-intensive script to put my server

MilKMiracle
  • 1
  • 1
  • If the connections are originating from the localhost you should consider the server as compromised and rebuild it. – Gerald Schneider Jul 07 '22 at 09:42
  • On the other hand, since you are using both nginx and Apache, if one of them is configured as a reverse proxy for the other that would be a perfectly fine explanation for the connections from localhost. – Gerald Schneider Jul 07 '22 at 09:43
  • If a single call to a script blocks your whole server it can hardly be called a DDOS attack. I'd rather call it either a very crappy script or very undersized hardware. The solution would be to either optimize the script or to scale the hardware out or up. – Gerald Schneider Jul 07 '22 at 10:21
  • I have 8 vCPU, 12 RAM, 120 storage. CPU and memory load not more than 5-10 percent at times of maximum user activity. At malignant DDoser load this load increases up to 20-25 percent. Perhaps I'm wrong that specifically one request causes the server to crash. The malicious requests make apache open 150 connections, which take too long to close, I have to restart apache to make the server work – MilKMiracle Jul 07 '22 at 11:10
  • Judging by the article linked above, this attack is similar to Load Based. But Google doesn't give any information about its closure – MilKMiracle Jul 07 '22 at 11:11

0 Answers0