I've been managing several e-commerce websites and frequently deal with all sorts of online threats. Recently, I noticed something strange happening on one of my sites on July 3rd. The server traffic skyrocketed from about 20,000 requests per hour to a staggering 120,000, but interestingly, our sales didn't reflect this surge. Upon checking the nginx logs, I saw that most of the requests were directed at specific category pages, and there were hardly any requests for essential files like CSS or JS, which seemed to indicate bot activity. I noticed a pattern where many requests came from the same IPs, and we promptly enabled Cloudflare's 'under attack' mode, which led to an immediate drop in traffic. I also set up a rule in Cloudflare to target this suspicious activity while manually reviewing it since it appeared to be coming from various countries like Brazil, Singapore, and India without matching our customer base in the UK. Three weeks later, I'm still blocking a substantial amount of traffic, but I'm starting to wonder if this truly qualifies as a DDoS attack or if it's just a persistent bot issue. Any tips to mitigate this further would be appreciated!
3 Answers
It's tough to say definitively, but 120k requests per hour isn't outrageous for a potential DDoS and often, attackers will mask their traffic to look legitimate. Since your traffic seems to mimic real user behavior but lacks certain characteristics (like requests for JS/CSS), it could likely be a bot trying to sneak in and probe your site's vulnerabilities. It’s wise to analyze the headers too, as DDoS attacks usually don’t bother with faking traffic. You might want to tweak your Web Application Firewall settings to catch these unknown bots more effectively.
From what you've described, it sounds more like you're dealing with a vulnerability scanner rather than a full-blown DDoS attack. These scanners often use proxies and vary their user agents to avoid detection. The fact that the requests are directed towards specific URLs rather than bombarding one single endpoint suggests it's not typical DDoS behavior. A real DDoS would typically send massive volumes of requests to one URL at high speed. You might want to keep an eye on those patterns; they could be probing for weaknesses, and it’s good that you have Cloudflare in place!
That's what I was thinking too! Even if it's just a scanner, it can still be quite annoying. Keeping Cloudflare up is definitely a smart move.
What you're experiencing sounds less like a traditional DDoS and more like a misconfigured bot or crawler. To effectively tackle this, you should enhance your WAF settings to identify and block unfamiliar bots more rigorously. The volume of 18k requests in 24 hours is pretty manageable. The reports of thousand requests per second you mention generally indicate a serious DDoS attack. Make sure to check for recurring IPs or similar user-agent strings in your logs to kick them out directly.
That makes sense! I guess tightening the rules on bots might help filter out some unnecessary traffic.