Welcome to WebmasterWorld Guest from 54.224.49.217

Forum Moderators: Ocean10000 & incrediBILL & phranque

So my site got hit by DDOS attack spawning tons of php processes.

     
4:12 pm on Sep 9, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


Hi, so a few minutes ago my Apache server site got hit by DDOS attack it seems. The server first slowed down.

Then, I logged into the server and found via the top command that there were about 75 PHP processes running and closing, spawning more and more php processes.

My question is, how to setup Apache to make sure so many php processes are not spawned? Is there any cheap way to mitigate this php based ddos attack? Thanks!
4:37 pm on Sept 9, 2017 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:3451
votes: 181


Is this a site that does not use Cloudflare? I ask because of the other post [webmasterworld.com] where you mentioned using Cloudflare filters.

Have you determined the UAs or IPs causing you trouble?
5:14 pm on Sept 9, 2017 (gmt 0)

Junior Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts: 141
votes: 12


My host provider had emailed me stating that DDOS attacks were so common that they were forced to install special anti-DDOS software, and that my patience was appreciated. Due to DDOS attacks website response times were longer than they should be.

Unfortunately for DDOS attacks the IP could be spoofed/fake, or it could be a zombie PC/phone. You'll be very lucky if you get a UA you can lock onto. I usually have no such luck. The bot writers are smarter than that.

Are you using https? Https might help or slow down the attack, as it should try to authenticate the IP, which may or may not authenticate.
5:41 pm on Sept 9, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2678
votes: 90


What do you mean by a "PHP based DDOS"? Is it managing to spawn more than one PHP process per request - if so that needs fixing.

If it is just a volume of requests (and it is not that high a volume of requests) you may want to look at fail2ban or mod_evasive.

If they are Slow Loris type attacks, Are you using mod_php? What Apache worker type are you using?
11:52 pm on Sept 9, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


Hi, yes I am still checking the access-logs during that time stamp but nothing so far. My mistake since I don't have the experience is that I enabled the "under attack" cloudflare mode and the attacks stopped. I didn't scan the accesslogs in realtime.

So I have the old access logs with me and will ask my sys admin to examine the logs carefully.

Yes graeme_p the attack seems to be spawning more than one php process. How do I fix this?
12:27 am on Sept 10, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9631
votes: 479


A DDoS (Distributed Denial of Service) attack is a specific event. Just because your server may be experiencing a heavy load, or a UA is hitting your server at a fast rate causing you scripting to create additional instances, doesn't meant it is a DDoS.

DDoS attacks, while more common than in previous years, are rare. These attacks are usually launched against service providers or large companies for specific reasons and even more rarely are launched against one website.
12:42 am on Sept 10, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


keyplyr agreed, how do I fix this php problem? There were around 100 php processes being launched during this time period.
1:34 am on Sept 10, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9631
votes: 479


Not sure there's anything to "fix." This depends on how you have your backend set up, or your scripting... or whatever is causing these php instances.

Best to talk with others that have a similar setup at your host.
10:25 am on Sept 11, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


Yes, I rechecked the logs but found no suspicious entry. So it seems one php request seems to be spawning many. How do I fix this? Thanks!
10:34 am on Sept 11, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:9631
votes: 479


Again, because your site and its code runs on a CDN with its own specific config, it's best to discuss this with others with the same set up as you.

There must be documentation in the form of a knowledgebase or wiki at your host for you to look up these issues.
2:33 pm on Sept 11, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


keyplyr that's fine but I am interested in what graeme_p + has to say. It seems what he said above is true, a single php is spawning multiple php processes it would seem.

I checked the top command and it had 90% php processes in the list. So waiting for graeme's reply. Thanks!
9:30 pm on Sept 11, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10977
votes: 84


i'm still waiting for your reply to graeme_p's questions...
11:55 am on Sept 12, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7



Yes graeme_p, it seems to spawning more than one PHP request per request. It was not a high volume of requests as I scanned the access-logs of that time.

Can you let me know what to look for to see if it's a Slow Loris type of attack? Thanks!
7:52 pm on Sept 12, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10977
votes: 84


What Apache worker type are you using?
8:49 am on Sept 13, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


Dear Phranque, we are using MPM Prefork
9:11 am on Sept 13, 2017 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:2678
votes: 90


If its not a high volume of requests, it does not look like a DDOS.

Try:

apachectl status


Low CPU and low requests per second relative to the number of requests being processed is an indication of slow loris.

Incidentally, if you just look at access logs and requests per second, slow loris could look like multiple processes per request, in that you would see lots of processes relative to the number of requests in the logs in either case.

The next question is whether there is any good reason you are spawning multiple processes per request.
7:07 am on Sept 14, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


Hi, my setup was not spawning multiple processes per request. The attack happened and all of a sudden in the top command result, I saw entire page with "PHP" processes. The site crawled then and was not responding.

So as it is a past event, how do I mitigate this type of behavior? Please assist. Thanks!
2:09 pm on Sept 19, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 19, 2004
posts:657
votes: 7


So are you guys saying there should be only 1 php process running in my processes list (top command) ? Please advise. Thanks
2:58 pm on Sept 19, 2017 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10977
votes: 84


It is certainly possible that a PHP process could spawn other subprocesses. This could be a problem with the PHP script rather than the server itself. You should navigate all the parent / child relationships in that process list to understand the process hierarchy that occurs under the Apache process (usually httpd).

pstree is useful for this purpose.