Is this a site that does not use Cloudflare? I ask because of the other post [webmasterworld.com] where you mentioned using Cloudflare filters.

Have you determined the UAs or IPs causing you trouble?

My host provider had emailed me stating that DDOS attacks were so common that they were forced to install special anti-DDOS software, and that my patience was appreciated. Due to DDOS attacks website response times were longer than they should be.

Unfortunately for DDOS attacks the IP could be spoofed/fake, or it could be a zombie PC/phone. You'll be very lucky if you get a UA you can lock onto. I usually have no such luck. The bot writers are smarter than that.

Are you using https? Https might help or slow down the attack, as it should try to authenticate the IP, which may or may not authenticate.

What do you mean by a "PHP based DDOS"? Is it managing to spawn more than one PHP process per request - if so that needs fixing.

If it is just a volume of requests (and it is not that high a volume of requests) you may want to look at fail2ban or mod_evasive.

If they are Slow Loris type attacks, Are you using mod_php? What Apache worker type are you using?

Hi, yes I am still checking the access-logs during that time stamp but nothing so far. My mistake since I don't have the experience is that I enabled the "under attack" cloudflare mode and the attacks stopped. I didn't scan the accesslogs in realtime.

So I have the old access logs with me and will ask my sys admin to examine the logs carefully.

Yes graeme_p the attack seems to be spawning more than one php process. How do I fix this?

A DDoS (Distributed Denial of Service) attack is a specific event. Just because your server may be experiencing a heavy load, or a UA is hitting your server at a fast rate causing you scripting to create additional instances, doesn't meant it is a DDoS.

DDoS attacks, while more common than in previous years, are rare. These attacks are usually launched against service providers or large companies for specific reasons and even more rarely are launched against one website.

keyplyr agreed, how do I fix this php problem? There were around 100 php processes being launched during this time period.

Not sure there's anything to "fix." This depends on how you have your backend set up, or your scripting... or whatever is causing these php instances.

Best to talk with others that have a similar setup at your host.

Yes, I rechecked the logs but found no suspicious entry. So it seems one php request seems to be spawning many. How do I fix this? Thanks!

Again, because your site and its code runs on a CDN with its own specific config, it's best to discuss this with others with the same set up as you.

There must be documentation in the form of a knowledgebase or wiki at your host for you to look up these issues.

keyplyr that's fine but I am interested in what graeme_p + has to say. It seems what he said above is true, a single php is spawning multiple php processes it would seem.

I checked the top command and it had 90% php processes in the list. So waiting for graeme's reply. Thanks!

i'm still waiting for your reply to graeme_p's questions...

Yes graeme_p, it seems to spawning more than one PHP request per request. It was not a high volume of requests as I scanned the access-logs of that time.

Can you let me know what to look for to see if it's a Slow Loris type of attack? Thanks!

What Apache worker type are you using?

Dear Phranque, we are using MPM Prefork

If its not a high volume of requests, it does not look like a DDOS.

Try:

apachectl status

Low CPU and low requests per second relative to the number of requests being processed is an indication of slow loris.

Incidentally, if you just look at access logs and requests per second, slow loris could look like multiple processes per request, in that you would see lots of processes relative to the number of requests in the logs in either case.

The next question is whether there is any good reason you are spawning multiple processes per request.

Hi, my setup was not spawning multiple processes per request. The attack happened and all of a sudden in the top command result, I saw entire page with "PHP" processes. The site crawled then and was not responding.

So as it is a past event, how do I mitigate this type of behavior? Please assist. Thanks!

So are you guys saying there should be only 1 php process running in my processes list (top command) ? Please advise. Thanks

It is certainly possible that a PHP process could spawn other subprocesses. This could be a problem with the PHP script rather than the server itself. You should navigate all the parent / child relationships in that process list to understand the process hierarchy that occurs under the Apache process (usually httpd).

pstree is useful for this purpose.