So have also checked the analytics that you use for any usage patterns, maybe someone is hotlinking images from your website to some high traffic website. Or maybe your ste got picked up by some high traffic news site. You would atleast know if there is a genuine traffic spike as analytics tools would not be able to pick up bot traffic other than the once they know already.<br>
<br>Might give some clue. <br><br><div class="gmail_quote">On Thu, Aug 19, 2010 at 10:06 PM, Pete Graham <span dir="ltr"><<a href="mailto:petegraham1@gmail.com">petegraham1@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
The site does have a customer base in India, in fact their is an<br>
Indian version of the site with specific information for this customer<br>
base.<br>
<br>
We've been analysing the access logs further, there's some very<br>
strange behaviour in there. 165 IPs have made in excess of 200<br>
requests. It starts OK, with the server answering 200's and then some<br>
attempts fail ... returning 500's. We don't think it's a malicious<br>
DoS, as the user starts by doing a perfectly normal browse of the<br>
site. We've been trying to analyse was was the last request made<br>
before going AWOL, but can't find a pattern.<br>
<br>
Something like mod_dosevasive could be useful to block these bursts of<br>
traffic but I'd like to get to the bottom of what's causes them in the<br>
first place.<br>
<br>
Apologies that this tread is pretty off topic now as it's not really<br>
PHP related now.<br>
<font color="#888888"><br>
Pete<br>
</font><div><div></div><div class="h5"><br>
On 19 August 2010 17:18, <<a href="mailto:phil@infolinkelectronics.co.uk">phil@infolinkelectronics.co.uk</a>> wrote:<br>
>> Hi,<br>
>><br>
>> I had my systems admin friend help me out on this one. He modified the<br>
>> Apache configuration: tuned the prefork mpm. Re-activated keepalive,<br>
>> with stricter settings. Also he noticed some IP in India was<br>
>> requesting 1000 pages a minute sometimes so blacklisted the IP,<br>
>> amongst other things.<br>
>><br>
>> Site seems to behaving itself much more now, thankfully.<br>
>><br>
>> Pete<br>
><br>
> Pete,<br>
> If the site doesn't have a customer base in India I'd consider blocking more<br>
> than just a single IP, else you'll think you've fixed it and they'll just<br>
> pop back later on a different one!<br>
><br>
> Phil<br>
><br>
</div></div><div><div></div><div class="h5">> _______________________________________________<br>
> Phpwm mailing list<br>
> Website : <a href="http://www.phpwm.org" target="_blank">http://www.phpwm.org</a><br>
> Twitter : <a href="http://www.twitter.com/phpwm" target="_blank">http://www.twitter.com/phpwm</a><br>
> Facebook: <a href="http://www.facebook.com/group.php?gid=2361609907" target="_blank">http://www.facebook.com/group.php?gid=2361609907</a><br>
><br>
> Post to list: <a href="mailto:Phpwm@mailman.lug.org.uk">Phpwm@mailman.lug.org.uk</a><br>
> Archive etc : <a href="https://mailman.lug.org.uk/mailman/listinfo/phpwm" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/phpwm</a><br>
><br>
<br>
_______________________________________________<br>
Phpwm mailing list<br>
Website : <a href="http://www.phpwm.org" target="_blank">http://www.phpwm.org</a><br>
Twitter : <a href="http://www.twitter.com/phpwm" target="_blank">http://www.twitter.com/phpwm</a><br>
Facebook: <a href="http://www.facebook.com/group.php?gid=2361609907" target="_blank">http://www.facebook.com/group.php?gid=2361609907</a><br>
<br>
Post to list: <a href="mailto:Phpwm@mailman.lug.org.uk">Phpwm@mailman.lug.org.uk</a><br>
Archive etc : <a href="https://mailman.lug.org.uk/mailman/listinfo/phpwm" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/phpwm</a><br>
</div></div></blockquote></div><br>