1. What does GET / return? 2. You said that nginx was configured as a reverse proxy. Is / proxied to a back-end? 3. Does GET / return the same content to different users? 4. Is the user-agent identical for these suspicious requests?
Sent from my iPhone > On Jan 10, 2019, at 11:19 PM, gnusys <[email protected]> wrote: > > The domain is proxied over cloudflare and the access log shows a large > number of requests to the website from the cloudflare servers > > 121115 162.158.88.4 > 121472 162.158.89.99 > 121697 162.158.90.176 > 122265 162.158.91.97 > 122969 162.158.93.113 > 125020 162.158.91.103 > 126132 162.158.90.194 > 128913 162.158.91.25 > 128980 162.158.93.89 > > the requests were all GET / and the rate at which it is done mostly is > extremely high pointing to a Layer 7 attack > > We cant block the cloudflare IP's on the server as other sites (its a shared > hosting server) may be using Cloudflare . At the moment the target IP on the > server is blocked at the network level.Luckily the domain was using a > dedicated IP > > As I already said, Apache handles this pretty well , the only small issue I > see is the server load getting a bit above normal and the Apache scoreboard > getting filled up, but with Nginx the entire webstack freeze with the > CLOSE_WAIT state and ESTABLISHED state extremely high and we can bring back > things to normal only after disabling Nginx . Once Nginx is disabled, the > CLOSE_WAIT and ESTABLISHED states clear off immediately too > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,282613,282649#msg-282649 > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
