12

My CentOS server is experiencing huge (millions a day) requests looking like this:

Srv PID Acc M   CPU SS  Req Conn    Child   Slot    Client  Protocol    VHost   Request
62-1    -   0/0/335 .   0.00    1947    204049  0.0 0.00    0.85    104.248.57.218  http/1.1    www.myrealdomain.co.uk:80   GET http://218.22.14.198/index HTTP/1.1

The request looks like my server is spending time serving or getting other pages content. I tried blocking the IPs, which only makes the source scramble up new IPs (both for the client and the request IP) and with no success.

I even have Cloudflare on high safety including their web app firewall, yet these requests still come in droves.

Can anyone explain why these are requested, and more importantly, how to prevent it altogether.

The server is running around 50 sites all basic configuration of WordPress, and it is a dedicated server.

Nils Munch
  • 241
  • 2
  • 8
  • Given faker's answer, perhaps it can be beneficial to share more details, such as relevant configuration files. What software are you using, which services are you running, etc? – Tommiie Dec 23 '18 at 19:11
  • Have you checked out the traffic graphs/logs to see when the increase in traffic happened? This may point you at a date when it was misconfigured/breached. – Criggie Dec 23 '18 at 21:04
  • Use [fail2ban](http://www.fail2ban.org/) which blocks them automatically for a given period of time. – Chloe Dec 24 '18 at 03:53
  • fail2ban will fight the symptom not the cause. If I'm right, it wouldn't even block anything. – faker Dec 25 '18 at 22:19

1 Answers1

23

It is hard to say what exactly is going on here. However you state:

The request looks like my server is spending time serving or getting other pages content.

This together with the "GET http://218.22.14.198/index" sounds like you have misconfigured your system and are accidentally running a open proxy which is getting abused.
Basically other systems are now using your system as a proxy, usually to hide their IP address and not exactly doing things you want to be associated with.
You should as soon as possible investigate if this is the case.
A firewall rule here is just a bandaid and not the real solution.

If this is the case - and with the information provided it is impossible to tell - you need to reconfigure your system to stop being a open proxy. It depends on your specific webserver configuration how to do that.

More information for example for Apache httpd:
https://wiki.apache.org/httpd/ProxyAbuse

faker
  • 17,326
  • 2
  • 60
  • 69