I think one of my website is under attacked and I want to check which IP because I want to block it.
I’ve seen bandwidth soaring to from usual 20mb+ becoming 1.7gb+ on some hours. I don’t have high volume of users. I really think this is an attacked.
Or any suggestions on what’s the best option I should go and do?
Thanks.
First you need to restore the origin IP. You can archive this with mod_remoteip If you’re running Apache. Once done you will see the visitor IPs in your logs and you can Block them with a firewall rule. Even though it is possible, i doubt that it’s only a single address.
In case there are Cloudflare IPs and foreign IPs visible in your logs, it’s a Bad sign because you could be attacked directly either via your IP or a different domain name set by your povider. Often done for management purposes. In this case you need to block everything else than Cloudflare via your host’s firewall. Which definitely should be done from the beginning.