-2

I run a Wordpress on EC2 at AWS and I am facing the following issue:

More than 2 days ago, the CPU went straight to 100% and the load balance up to ~20+ (for a 4-vcpu server) out of the blue.

Being unable to understand what is going on, I activated "I Am Under Attack" mode on Cloudflare (https://blog.cloudflare.com/introducing-im-under-attack-mode/) which brought things back to normal (~15% CPU, <1 load).

Since then, as soon as I disable the "under attack" mode, the exact same happens, crazy CPU, crazy load. I switch it back on, things go to normal.

Additionally, I am monitoring with tcptrack -i eth0 and I see new connections coming in from different IPs when I turn off the Cloudflare protection.

Should I conclude that this is a DDoS attack? What can I do other than siting behind the Cloudflare firewall and how long can it last?

Thanks for any tips

user3367364
  • 1
  • What instance size are you using? Post a screenshot of "top" during a period where this is happening. – EEAA Feb 12 '16 at 13:42
  • Is there any information about referrers in your access logs? If it's not then add it. That may help tell you if your website has gotten popular somewhere. – Tim Feb 12 '16 at 18:32
  • Possible duplicate of [I am under DDoS. What can I do?](http://serverfault.com/questions/531941/i-am-under-ddos-what-can-i-do) – Jim B Feb 21 '16 at 02:21

1 Answers1

3

You need to look at your Apache logs, to understand what the incoming requests are before jumping to any conclusions. Might not be DDOS could be simply a badly coded page getting lots of traffic, or your site might have gone viral on social media... look at your Apache logs or get some analytics happening to work out what's going on before deciding on any plan of action.

Nath
  • 1,282
  • 9
  • 10
  • hi, thanks for the reply. I am monitoring the Apache access log and error log. The Apache log doesn't show repeating hits to any specific page but just increased activity all together. Any tips on what I should be looking for? Viral media is not the case since this does not seem to be legit traffic: a) if it were legit, it wouldn't be cut off from cloudflare's filter and b) there is no increase in Google Analytics – user3367364 Feb 12 '16 at 08:22
  • How are going with this?? There must be something about the requests that you can use to understand why traffic has increased, surely cloud flare has some logs about the traffic being dropped. – Nath Feb 15 '16 at 06:03