Web Traffic Spike from South Korea, all 404s
October 30, 2018 7:25 AM   Subscribe

Daily unique users went from 200 to 4000 overnight, all to nonsense page addresses, all from South Korea.

I manage a website for a small non-profit. Wordpress hosted on AWS lamp. For years, we've had similar traffic, about 200 users a day. Suddenly, last week it spike to 4000, but all to addresses like /adsfk/jhsadof-hjsadgf, which returns a 404.

It almost seems like a DDOS style thing, but we are nobody, and it's only 40ish users at a time.

Google Analytics screen shot

It's not a huge problem yet, except my CPU usage is through the roof, serving back all these 404s. I could scale up my instances, but obviously that has a cost.

How do I find out what is going on and stop / slow it?
posted by slagerst to Technology (3 answers total) 1 user marked this as a favorite
404s are a frequent DDOS target because they tend not to be as optimized as typical requests.
posted by wnissen at 9:34 AM on October 30, 2018

I'd setup something like fail2ban that takes multiple 404's from an IP as a failure and places a removed-after-a-time DROP for that IP into the firewall rules so the web server just doesn't even see more requests from that IP for a good while.
posted by zengargoyle at 2:12 PM on October 30, 2018

Bonus points if you make that DROP rule into a redirect to a static page that you can serve fast that tells them that they're infected with something. "Your computer had made a bazillion 404 requests to this site... Are you infected with something???"
posted by zengargoyle at 2:18 PM on October 30, 2018

« Older UnChristmas in the North   |   Is buying land in Joshua Tree a good idea? Newer »
This thread is closed to new comments.