In the past couple of days I’ve received warnings from my web host of high CPU usage / too many mySQL connections. Upon reviewing the user logs, I’m seeing 20+ simultaneous hits to my site from the same random IP address (ie at the exact same time, exact to the second) just prior to receiving the warning. I don’t know what to make of this. Since it’s a random IP address, is there any setting on Cloudflare that can help me with this issue?
Thanks!
Paul.
May I ask, is there a need to have a remote MySQL port open to everyone and accept connections from everyone, or rather from a few specific IPs? 
And which MySQL process / CRUD do they trigger to make it throttling?
Are they coming form Cloudflare network or scanners like Censys, Shodan, etc.?
1 Like
It’s possible that the mySQL load is due to excessive website requests on a dynamic website. Not direct SQL connections from outside.
It’s a classified ads site, so it’s open to everyone. They are SELECT requests. They are coming via Cloudflare (and I have the origin IPs which seem harmless).
Thanks!
Paul.
The best I can suggest is Rate Limiting. Hopefully it’s just the home page, so you can set that as the URL that’s rate limited:
https://support.cloudflare.com/hc/en-us/articles/115001635128
Yes, it’s always hits on the home page! Thanks, I’ll look into Rate Limiting. Do you think Rate Limiting will work on instantaneous requests like this? (exact same time stamp)
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
|xxx.255.237.15|-|-|[28/Jan/2022:09:47:34|-0600]|GET /uk/ HTTP/2.0|
Paul.
Unfortunately, probably not. Is there any other common connection between all these requests? Same User Agent string?
yes, same user agent for the above listed GET calls:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Safari/605.1.15
Try a Firewall Rule:
If User Agent String CONTAINS 10_15_4
Then JS Challenge
This would be my first line of defense and it should slow down a bot.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.