Help: Spider/Spam bot(s) Killing My Server!

Portal Home > Knowledgebase > Articles Database > Help: Spider/Spam bot(s) Killing My Server!

Posted by GeorgRauh, 03-04-2012, 12:14 PM
I have a "Hybrid" host with 2GB memory running on Centos5.6 I am running apache with PHP as DSO + cpanel. I already equipped the server with CSF/lfd and for my main site i am also using Cloudflare where i am blocking China. Almost every week (especially on the weekends) usually around 8am my time (Europe) some spam bot is "attacking" my server and opens MANY apache tasks at once, eg.50+. This eats up all my memory and literally kills my server until i get up later and manually reboot from SolusVM interface. The server can be down for 8+ hours. I am fighting with this problem for some time already and thought csf/lfd and cloudflare should have solved it, but nada. I am also running all kinds of cache/optimization plugins on my sites which are running on Wordpress to reduce load etc, but as soon as this bot appears it simply overpowers my server with all those apache tasks. I am a point where i NEED a solution and i am not sure which one to choose. * Alternate web server to reduce memory consumption? I already did testing with alternative web servers (Nginx, Varnish etc.) to reduce memory consumption of the server but overall did not see any improvement, overall the memory consumption is the same. Work --> benefit ratio of exchanging apache for nginx is not there, IMHO. (Plus incompatibilities etc.) * Upgrading server with more ram? The most obvious solution could be simply giving the server 2GB more ram...problem here i dont know whether this would really solve the problem. If the bot does not appear, all my sites run flawlessly on the given hardware. I do not want to spend even more on the server/month if the added memory wouldn't even solve the problem * Software watchdog? I think a feasible solution would be a software watchdog which could reboot my server if it sees that apache etc. is down(non responsive for some extended time. Is there no such option anywhere already out of the box with Centos/csf? I am surprised since csf/lfd gives me all those alerts per email...is there an option to let it automaticaly reboot the whole server? What about this "softdog" application i just read about, would this be an option? Thanks!
Posted by rustelekom, 03-04-2012, 01:36 PM
Hi, You could use csf or monit to reboot apache or whole VPS when your load average or memory usage is high.
Posted by GeorgRauh, 03-04-2012, 01:58 PM
Hello, could you tell me where in csf i can configure that? thanks.
Posted by n8bit, 03-04-2012, 02:40 PM
This almost sounds like the slowloris attack: http://ha.ckers.org/slowloris/ It might pay to try and use it against your apache server from home to see if you're affected. Or just switch to lighty/nginx if you have the time
Posted by MattHouston, 03-04-2012, 03:19 PM
You can try using Litespeed instead of Apache.
Posted by tvcnet, 03-04-2012, 08:08 PM
Hi, Incapsula has a DDOS mitigation service as well you may with to try (and not as insanely priced as that other big DDOS mitigation service). Personally I'm a big fan of Cloudflare as well, though Incapsula tends to work better for enterprise level stuff IMHO.
Posted by damoncloudflare, 03-05-2012, 05:42 PM
Are you blocking the IPs in the CloudFlare threat control panel for the spam bot?
Posted by AHFBWEB, 03-05-2012, 06:23 PM
Add this to your htaccess. You may or may not want to remove msie 6 ******* = wow rack without the space. About time they got removed, they slipped below the radar with spam for months
Posted by dancom96, 03-05-2012, 07:17 PM
Switch to mpm_worker or mpm_event with FCGI or PHP-FPM
Posted by astutiumRob, 03-06-2012, 09:49 PM
switch web-server software, or adding more RAM will simply delay the point you keel over and die by a few seconds. you need to be blocking the source of the attack, as well as talking to your upstream about it.
Posted by sam0, 03-07-2012, 03:23 AM
We saw significant performance increase using nginx with php-fpm. If theres a single IP opening 50 connections you can configure your firewall or httpd to block these. Also if the requests look similar you can use a script to automatically ban the IPs.