Spike in requests causes shared server overload - no idea how to troubleshoot

wordpress

#1

Hi,

My hosting company has had to block my site as it was causing 99% server usage on a shared server (with 1500 customers). This happened twice in the last month, but Cloudflare doesn’t seem to think it’s malicious activity.

Here is what the log looks like on the server side, but all they register are Cloudflare IP addresses:

172.68.189.245 - - [16/Aug/2018:07:30:26 +0200] "GET /fr/magasins/switzerland/fribourg/fribourg/nature-decouvertes-fribourg/ HTTP/1.1" 200 42256 "https://www.arbolife.com/fr/magasins/ethique-fair-trade-magasin/" "UCWEB7.0.2.37/28/999" www.arbolife.com
172.69.22.6 - - [16/Aug/2018:07:30:24 +0200] "GET /fr/location/switzerland/vaud/mezieres/ HTTP/1.1" 200! 45643 "https://www.arbolife.com/fr/restaurants/switzerland/vaud/mezier! es/restaurant-du-jorat/" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11" www.arbolife.com
172.68.141.8 - - [16/Aug/2018:07:30:28 +0200] "GET /fr/magasins/switzerland/neuchatel/montezillon/laubier/ HTTP/1.1" 200 43709 "https://www.arbolife.com/fr/magasins/alimentation-saine/" "Mozilla/4.0 (compatible; MSIE 6.0; ) Opera/UCWEB7.0.2.37/28/999" www.arbolife.com
172.68.46.249 - - [16/Aug/2018:07:30:24 +0200] "GET /fr/magasins/alimentation-saine/page/3/ HTTP/1.1" 200 50717 "https://www.arbolife.com/fr/magasins/alimentation-saine/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; TencentTraveler 4.0; .NET CLR 2.0.50727)" www.arbolife.com
172.69.22.126 - - [16/Aug/2018:07:30:26 +0200] "GET /fr/magasins/tags/switzerland/jura/les-breuleux/habits-de-grossesse/ HTTP/1.1" 200 39661 "https://www.arbolife.com/fr/magasins/switzerland/jura/les-breuleux/troc-bouebe/" "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11" ! www.arbolife.com
172.68.211.206 - - [16/Aug/2018:07:30:29 +0200] "GET /fr/restaurants/switzerland/neuchatel/neuchatel/aliments-locaux/ HTTP/1.1" 200 41647 "https://www.arbolife.com/fr/restaurants/switzerland/neuchatel/neuchatel/le-bassin-bleu/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; TencentTraveler 4.0; .NET CLR 2.0.50727)" www.arbolife.com
162.158.59.164 - - [16/Aug/2018:07:30:25 +0200] "GET /fr/magasins/switzerland/bern/bern/brocki-buempliz/ HTTP/1.1" 200 41600 "https://www.arbolife.com/fr/magasins/switzerland/bern/bern/heilsarmee-brocki-3/" "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; en) Presto/2.8.131 Version/11.11" www.arbolife.com
172.68.46.39 - - [16/Aug/2018:07:30:29 +0200] "GET /fr/shops-en-ligne/pixie-cosmetics-suisse/ HTTP/1.1" 200 41202 "https://www.arbolife.com/fr/shops-en-ligne/cosmetique/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0" w! ww.arbolife.com
172.68.189.245 - - [16/Aug/2018:07:30:31 +0200] "GET! /en/restaurants/sugar-free-options/ HTTP/1.1" 200 42008 "https://www.arbolife.com/fr/restaurants/choix-sans-sucre/" "Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" www.arbolife.com
172.68.141.8 - - [16/Aug/2018:07:30:29 +0200] "GET /fr/shops-en-ligne/puksar-vins/ HTTP/1.1" 200 40264 "https://www.arbolife.com/fr/shops-en-ligne/aromacos/" "Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13" www.arbolife.com
172.68.141.212 - - [16/Aug/2018:07:30:28 +0200] "GET /fr/magasins/tags/switzerland/fribourg/fribourg/vetements-hommes/ HTTP/1.1" 200 39651 "https://www.arbolife.com/fr/magasins/switzerland/fribourg/fribourg/boutique-zig-zag/" "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" www.arbolife.com
172.69.22.1! 26 - - [16/Aug/2018:07:30:26 +0200] "GET /fr/magasins/switzerland/bern/bern/rosa-brockenhaus/ HTTP/1.1" 200 41658 "https://www.arbolife.com/fr/magasins/switzerland/bern/bern/heilsarmee-brocki-3/" "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" www.arbolife.com
172.69.22.126 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/events/categories/visite/ HTTP/1.1" 200 36837 "https://www.arbolife.com/fr/events/journee-sur-le-pouvoir-des-plantes-upgreen/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SE 2.X MetaSr 1.0; SE 2.X MetaSr 1.0; .NET CLR 2.0.50727; SE 2.X MetaSr 1.0)" www.arbolife.com
172.68.143.70 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/magasins/switzerland/vaud/concise/skidoc/ HTTP/1.1" 200 41940 "https://www.arbolife.com/fr/magasins/troc/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)" www.arbolife.com
172.68.189.191 - - [16/Aug/2018:07! :30:31 +0200] "GET /fr/magasins/switzerland/bern/bern/bellbird-vintage/! HTTP/1.1" 200 41644 "https://www.arbolife.com/fr/magasins/switzerland/bern/bern/heilsarmee-brocki-3/" "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0" www.arbolife.com
172.68.189.161 - - [16/Aug/2018:07:30:32 +0200] "GET /fr/magasins/switzerland/bern/tramelan/magasin-du-monde-tramelan/ HTTP/1.1" 200 41153 "https://www.arbolife.com/fr/magasins/ethique-fair-trade-magasin/" "Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" www.arbolife.com
172.68.189.245 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/events/categories/nourriture/sans-gluten/ HTTP/1.1" 200 37179 "https://www.arbolife.com/fr/events/journee-sur-le-pouvoir-des-plantes-upgreen/" "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" www.arboli! fe.com
172.68.141.8 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/events/les-soirees-des-herbettes-into-the-nature-21/?ajaxCalendar=1&mo=7&yr=2018 HTTP/1.1" 200 42150 "https://www.arbolife.com/fr/events/les-soirees-des-herbettes-into-the-nature-21/" "Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.18124" www.arbolife.com
172.68.141.212 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/shops-en-ligne/swiss-wellness-factory/ HTTP/1.1" 200 40600 "https://www.arbolife.com/fr/shops-en-ligne/cosmetique/" "UCWEB7.0.2.37/28/999" www.arbolife.com
172.68.189.101 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/events/les-soirees-des-herbettes-into-the-nature-23/?ajaxCalendar=1&mo=7&yr=2018 HTTP/1.1" 200 42346 "https://www.arbolife.com/fr/events/les-soirees-des-herbettes-into-the-nature-23/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.96! 3.56 Safari/535.11" www.arbolife.com
172.68.141.50 - - [16/Aug/2018:! 07:30:32 +0200] "GET /fr/shops-en-ligne/la-k-verne-de-k-ro/ HTTP/1.1" 200 39983 "https://www.arbolife.com/fr/shops-en-ligne/produits-bio/" "Openwave/ UCWEB7.0.2.37/28/999" www.arbolife.com
172.68.141.50 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/magasins/switzerland/vaud/lausanne/nature-decouvertes-lausanne/ HTTP/1.1" 200 43788 "https://www.arbolife.com/fr/magasins/ethique-fair-trade-magasin/" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11" www.arbolife.com
172.69.22.6 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/restaurants/switzerland/fribourg/fribourg/le-bistro-du-port-de-fribourg/ HTTP/1.1" 200 43084 "https://www.arbolife.com/fr/restaurants/aliments-locaux/" "Mozilla/5.0 (Linux; U; Android 2.2; en-us; SCH-I800 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1" www.arbolife.com
172.69.22.126 - - [16/Aug/2018:07:30:32 +0200] "GET /fr/events/journee-sur-le-pouvoir-des-plantes-upgreen/?ajaxCalendar=1&mo=7&yr=2018 HTTP/! 1.1" 200 42543 "https://www.arbolife.com/fr/events/journee-sur-le-pouvoir-des-plantes-upgreen/" "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+" www.arbolife.com
172.68.189.245 - - [16/Aug/2018:07:30:31 +0200] "GET /fr/events/les-soirees-des-herbettes-into-the-nature-28/?ajaxCalendar=1&mo=7&yr=2018 HTTP/1.1" 200 43344 "https://www.arbolife.com/fr/events/les-soirees-des-herbettes-into-the-nature-28/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)" www.arbolife.com
172.68.46.213 - - [16/Aug/2018:07:30:32 +0200] "GET /en/restaurants/vegetarian-options/ HTTP/1.1" 200 51504 "https://www.arbolife.com/fr/restaurants/choix-vegetarien/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0;" www.arbolife.com
172.69.23.19 - - [16/Aug/2018:07:30:35 +0200] "GET /fr/events/atelier-cuisine-bio-sans-gluten-ni-produits-laitiers-crackers-crus-chez-aneva-2/ HTTP/1.1" 200 41619 "http! s://www.arbolife.com/fr/les-services/" "Mozilla/5.0 (Macintosh; Intel M! ac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" www.arbolife.com
172.68.143.70 - - [16/Aug/2018:07:30:36 +0200] "GET /fr/restaurants/switzerland/vaud/yverdon-les-bains/choix-vegetarien/ HTTP/1.1" 200 39733 "https://www.arbolife.com/fr/restaurants/switzerland/vaud/yverdon-les-bains/le-double-r/" "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5" www.arbolife.com

This is what it looks like on cloudflare, with a peak around 7am:

I have no idea how to troubleshoot this. I thought maybe it’s a search engine crawler, so I reduced the crawl rate on google, but really I have no clue and don’t know where to start as Cloudflare doesn’t provide access log.

Thanks for your help.


#2

See the following article for fixing visitor IP:


#3

That’s something only my hosting company could install if they chose to do so, correct?


#4

If you’re on shared hosting, yes. If you rent a VPS with sudo access you can do the above.


#5

Yes I’m on a shared server, so I’ll request it.
What else is available? I mean isn’t Cloudflare supposed to protect me from this? This very much looks like a DOS attack with so many requests in the same second?


#6

My hosting company answered: “The solution provided from cloudflare does only work if we would use nginx as webserver. But our Server are all running with apache-Webserver, so this solution for restoring the IP’s doesn’t work.”

Do you have any input for them?


#7

There are solutions for almost all web servers, including Apache.

https://support.cloudflare.com/hc/en-us/sections/200805497-Restoring-Visitor-IPs


#8

Thanks for the link.

Now could you please tell me how come Cloudflare doesn’t block any of this? It very much looks like DDOS attack… and with so many requests to bring a shared server for 1500 hosting customers to its knees with 99% CPU, it smells like one too.


#9

Cloudflare’s main protection is layer 3/4 protection (UDP/TCP ddos) and the layer 7 IP reputation system, blocking “known” bad/spam IPs. By default Cloudflare does not protect against this “http flood” type of attack if the originating IP addresses don’t have a bad IP reputation.

Protection at the Cloudflare layer for this would require use of the Rate Limiting feature or setting your Security Level to “I’m Under Attack”, which will show a page that validates visitors are real users before showing the website.


What happens to bulk requests when Rate Limiting is OFF?
#10

Hi, my hosting company responded “The solution for apache is only for the version 2.4 or newer, we are using apache 2.2 on our Server.”

Is there anything else I can suggest to them?


#11

This topic was automatically closed after 31 days. New replies are no longer allowed.