DDoS or php-fpm bad script?

Cyb3r

Well-known member
This is really frustrating, I'm not a pro and my knowledge is very basic in server management, from time to time I get php-fpm overload which causing me to think is it a bad process or is it DDoS, I use NodeQuery to keep an eye on the load and I get email notifications when there's a high load, here is a picture for the server load before and after:
cm6Y4si.png
tiyc3mn.png

It seems more like a DDoS attack because when I made CF Status: "I'm Under Attack" the load heated down and I was able access my site again, my question is how can I make sure it's a DDoS and not a php-fpm bad process?

Also what can I do to mitigate these attacks which I get a lot of them on daily basis?

Here's my server specs:
Code:
CPU: 4x 3100 MHz (AMD Opteron(tm) Processor 6386 SE)
RAM: 4GB
Running: CentOS release 6.6 (Final) x64 (Centminmod)

Thanks in advance!
 
I see you're running CSF, you can block some attacks by setting that up to be more strict.
Try enabling OWASP rules in Cloudflare too.
 
Also try these settings in php-fpm.conf

Code:
emergency_restart_threshold 3
emergency_restart_interval 1m
process_control_timeout 5s
 
You can type this code into PuTTy if you have root access to view the connections to your server and see what doesn't seem normal.

Code:
netstat -an | grep :80 | sort

After viewing this you should be able to tell if you are getting DDoS. I was given this method by my own webhost which actually has advanced mitigation.

If it continues I highly suggest finding a mitigating host or using Sucuri as they have the cheapest advanced mitigation.
 
I see you're running CSF, you can block some attacks by setting that up to be more strict.
Try enabling OWASP rules in Cloudflare too.

What's OWASP?

If you mean web application firewall then it comes with pro plan or higher, if you recommend it I will consider upgrading to pro plan.

Also try these settings in php-fpm.conf

Code:
emergency_restart_threshold 3
emergency_restart_interval 1m
process_control_timeout 5s

So this will shutdown the process or the whole php-fpm service?

Sorry for the noobish questions and thank you for the kind guide. :)

You can type this code into PuTTy if you have root access to view the connections to your server and see what doesn't seem normal.

Code:
netstat -an | grep :80 | sort

After viewing this you should be able to tell if you are getting DDoS. I was given this method by my own webhost which actually has advanced mitigation.

If it continues I highly suggest finding a mitigating host or using Sucuri as they have the cheapest advanced mitigation.

I'm using https so I should change the port to 443 right?
 
What's OWASP?

If you mean web application firewall then it comes with pro plan or higher, if you recommend it I will consider upgrading to pro plan.

Extra firewall rules which could help you. Don't upgrade just for that though.

So this will shutdown the process or the whole php-fpm service?

Sorry for the noobish questions and thank you for the kind guide. :)

This means if 3 php-fpm process crash within a minute, then php-fpm will restart automatically. It will keep the cpu load down.
 
Extra firewall rules which could help you. Don't upgrade just for that though.



This means if 3 php-fpm process crash within a minute, then php-fpm will restart automatically. It will keep the cpu load down.

Thank you for the info, is there anyway to know if someone is stressing the site through a PHP files or something?
 
I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

Now I'm using Sucuri for 2 months now and its very effective.
 
I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

Now I'm using Sucuri for 2 months now and its very effective.

I'm sure it is.

Really, I just found the best host possible. Some hosts offer protection free of charge.

@Cyb3r, I suggest a new host if you can't afford Sucuri. I can point you in the right direction if you need, just pm me. What your looking at here is $1 for the first month and $6.50/month after that for 2 GB RAM. The higher you go it still is very cheap. The reason I use my host of choice is they offer 160 Gigabytes per second protection. An unprecedented amount of protection which makes Sucuri look like softies.

If you think you can find a host similar, the answer is you can. They are everywhere.

But if you are able to afford them I have heard great things about Sucuri. I didn't want to promote another site on the forums which is why I haven't linked you but if you are interested shoot me a pm.
 
Also I just noticed @Cyb3r

In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

http://www.tecmint.com/install-configserver-security-firewall-csf-in-rhel-centos-fedora/
 
I also tried Cloudflare Pro to mitigate this kind of attack, but it's useless.

Now I'm using Sucuri for 2 months now and its very effective.

Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(

I'm sure it is.

Really, I just found the best host possible. Some hosts offer protection free of charge.

@Cyb3r, I suggest a new host if you can't afford Sucuri. I can point you in the right direction if you need, just pm me. What your looking at here is $1 for the first month and $6.50/month after that for 2 GB RAM. The higher you go it still is very cheap. The reason I use my host of choice is they offer 160 Gigabytes per second protection. An unprecedented amount of protection which makes Sucuri look like softies.

If you think you can find a host similar, the answer is you can. They are everywhere.

But if you are able to afford them I have heard great things about Sucuri. I didn't want to promote another site on the forums which is why I haven't linked you but if you are interested shoot me a pm.

Currently I'm hosting with OVH, I pay $37/month so idk, what do you think?
 
Also I just noticed @Cyb3r

In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

http://www.tecmint.com/install-configserver-security-firewall-csf-in-rhel-centos-fedora/

CSF is working well and I already blocked unwanted ports and ssh access only to my IP, I don't use any control panels BTW.
 
Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(



Currently I'm hosting with OVH, I pay $37/month so idk, what you think?

I highly suggest NuWebHosting.com

You'll be able to see when you browse their site that they offer well below market value. When I had signed up with them I was impressed by the price but after using their support service, I later discovered it was a gold mine. They are not foreign and I believe they are U.S. based. But they are very thorough in their support.

Anyways for what you now have, I believe 4 GB RAM? You can get that on this host for $15/mo with included 160 GPS protection. If you want cpanel/whm it's extra with every host but you would still be below the amount you pay now with the protection included.

I suggest you give them a browse and see how it goes. I host a 12 GB RAM vps with them and payed $238 the first year on a 50% discount deal.
 
Thank you for pointing that out, but I see they don't offer monthly subscription and unfortunately I can't afford annual costs. (it's not even annually) :(



Currently I'm hosting with OVH, I pay $37/month so idk, what do you think?
Switch to Linode or Ramnode with the same amount you are paying now then put Sucuri in front of your site = Profit ;).
 
I'm also a centminmod user, came from OVH Dedicated server.
And experience heavy layer 7 attacks in the past.
What I'm using now is Linode+Sucuri.
Well Ramnode is really fine also.
 
I'm also a centminmod user, came from OVH Dedicated server.
And experience heavy layer 7 attacks in the past.
What I'm using now is Linode+Sucuri.
Well Ramnode is really fine also.

I have seen Ramnode, they provide real protection just like NuWebHosting but after viewing Linodes website it didn't mention anything about advanced mitigation. If someone was to host with either one of those companies they wouldn't even need Sucuri even though you would benefit even more.

But heck I say get a 12 GB RAM vps for what your paying now, either way RamNode is an option too. Depends what genre site your hosting here. Some get attacked more than others.

For $9/month if I remember Sucuri does not provide layer 3 and 4 protection, just layer 7. Still worth it for sure. Sometimes it's all you really need.

Anyways good luck to you.
 
but after viewing Linodes website it didn't mention anything about advanced mitigation.
You don't need any mitigation or protection from layer 3,4,7 since you'll be using Sucuri in front of your website.
Just don't let your server IP to be leaked on public.

For $9/month if I remember Sucuri does not provide layer 3 and 4 protection, just layer 7. Still worth it for sure. Sometimes it's all you really need.
Only Layer 7 protection is all you need and that's enough :).
 
Also I just noticed @Cyb3r

In your load example, it shows "lfd" as sleeping. I believe that is a process for the CSF - Config Server Security Firewall. By the example showing it sleeping can't be good. Maybe you should check to see if it's installed in WHM. If you don't see it in plugins then use this link to install it. It's a free firewall for WHM/webmin and is what every webhost should use.

http://www.tecmint.com/install-configserver-security-firewall-csf-in-rhel-centos-fedora/

lfd is supposed to be sleeping.
 
Not sure why everyone is telling you to change hosts. Must want you to PM them for affiliate links or something.

If you are currently with OVH, you already have very good DDoS protection in place. There is no reason to change hosts or use Securi or anything else. Either you are likely not being DDoSed, or whatever it is just isn't at a level where it's triggering the protection at OVH, and you might need to fine tune the protection with them.
 
Top Bottom