Recently I've had a huge influx of traffic to my site to the point that Apache reached it's max connections and MySQL couldn't respond in time. Turns out a small DDOS was occurring.
It's common for popular software like WordPress to become a target for bots that roam the internet crawling servers for exploits to add to their botnet. Unfortunately it's something that not all hosting providers will help detect and stop that's why specialist services like CloudFlare have become available.
After noticing the server grinding to a halt I went through some basic steps to determine where the fault may be.
- Using another server or device on another network to check the site, a popular free service is "Down For Everyone or Just Me"
- Use networking commands like ping thomasrothwell.com and traceroute thomasrothwell.com to determine if the domain provider or DNS could be effected. Again sites are available to-do this if you don't have command line available. Ping.eu
- SSH into the server to check the logs "/var/log/" is the most common directory but will of course vary depending on your Hosting Provider and OS. Check your web server and database logs, this'll help narrow down what's falling over first.
- Check your server resources, RAM & CPU usage may be spiking. Again commands like top will help identify the main consumers.
- If you come across a suspect IP you can use an IP Address Abuse Database to help identify it's legitimacy.
It turned out to be a similar IP range hitting the server and doing a POST request to a WordPress file xmlrpc.php. This is a common target as it's used to communicate with third party services like RSS and plugins.
220.127.116.11 - - [04/May/2016:10:59:34 -0400] "POST /xmlrpc.php HTTP/1.0" 500 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
18.104.22.168 - - [04/May/2016:10:59:33 -0400] "POST /xmlrpc.php HTTP/1.0" 500 609 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
I stopped the web server from running so the server would free up some resources in-order to work a bit quicker as the response time when typing was very sluggish.
service apache2 stop
I grabbed the IP Addresses via the access logs and then used IPTABLES to block the connections.
iptables -I INPUT -p tcp -s 22.214.171.124 -j REJECT
iptables -I INPUT -p tcp -s 126.96.36.199 -j REJECT
iptables -I INPUT -p tcp -s 188.8.131.52 -j REJECT
iptables -I INPUT -p tcp -s 184.108.40.206 -j REJECT
iptables -I INPUT -p tcp -s 220.127.116.11 -j REJECT
iptables -I INPUT -p tcp -s 18.104.22.168 -j REJECT
Simply start the web server again and everything was back running smoothly again!