Posted by James Watson on 12 Sep, 2020
Since reporting some unusual activity on the website on the 1st September, I regret to advise that the abuse has continued and the site continues to come under attack on a near-daily basis. The attacking website posts an unusually high number of requests (around 5 per second) for a several hours at a time, rendering the site unusable for other users. On most occasions, the service provider hosting the site sends me an email alerting me to the unusually high usage. If I can, I spend some time going through the access logs modifying the sites iptables to block traffic from the offending IP address. The figures below show the CPU usage as a result of today's attacks. The first CPU spike was a result of requests from 220.127.116.11 which I blocked last night at 19:00. The second spike of traffic started at around 10:00 the following morning from 18.104.22.168 and was blocked at 12:00.
The fact that the attacks typically emanate from a cloud-based service and have been moving as I block access suggests a deliberate attempt to disrupt the services of the site. I have no idea what the motivation is behind the abuse.
Picking through apache logs is not really the way that I want to spend my free time. If the attacks persist, I will have to consider other measures; making the site a 'members-only' service or adding usage limits, to the detriment of legitimate users. I may even just decide to pull the plug on the whole thing.