Today one of our servers was registering a load of 50 as observed by ssh: top
Investigation lead us to the server logs which show the server being bombarded by IP addresses like 172.70..
Every IP that we’ve done a geo-ip for has shown the same thing:
location: Singapore, Singapore, Asia
We did an iptables firewall to block the entire 172.70.. subnet and within a few minutes the server load went back to normal.
A few hours later I was live monitoring the server and it happened again! Server load spiked from about 2-3 to 50 and the server became almost non-responsive. We had to firewall the subnet again for about 10 minutes.
Does anyone know what’s going on? We have lots of servers and sites with CF integrated and we’ve never seen this before.