Heavy hitting IP [Archive]

X-or

01-10-2017, 03:46 PM

hello I would like to know how to handle certain heavy hitting IP

once in a while I look at the awstats logs and find some abnormally heavy hitting IPs
for example
ip68-231-211-53.oc.oc.cox.net 81 921 82 470 52.79 Mo 10 Jan 2017 - 07:48
c-5eeaaa91-74736162.cust.telenor.se 59 983 61 441 107.82 Mo 10 Jan 2017 - 03:41

Not only the page views are abnormally high for a single individual but the page/hit ratio is also abnormal

I don't think it is a ddos attack because I have ddos protection, I assume this activity is the result of some kind of script, not sure if malicious or not

I have two questions :
1. should I ban these IP
2. is there a way to automatically detect this kind of activity and ban the offenders?

Dave

01-10-2017, 03:51 PM

It could be a crawler or someone running a script, hard to tell. If you have access to your access logs then you should filter it by those IP addresses and see what they are doing.

To answer your questions:
1. You could if you think it's fishy, but you don't know whether they have a dynamic or static IP. Banning dynamic IP addresses is pretty much useless.
2. It depends on what they are doing. If it's a flood then your DDoS protection should block it. It's hard to tell from our position. Check your access logs and find out what it's doing.

Dave

01-10-2017, 04:05 PM

You could ask those members what they are doing and tell them to stop.
Worst case scenario, ask your host to tweak your settings or implement a JavaScript check screen. CloudFlare does this to prevent attacks or to lower impact on the server since bots usually don't have JavaScript support.

Dave

01-10-2017, 04:19 PM

It checks whether the user has JavaScript enabled. You can't implement it, it has to be enabled by your host but not all hosting companies provide such feature.

Dave

01-10-2017, 04:39 PM

Alternative? Use CloudFlare, Incapsula or Securi.
They all provide website and DDoS protection services which all only require a change to your domain its name-servers.

Paul M

01-10-2017, 04:40 PM

What problem is it actually causing you ?

Dave

01-10-2017, 05:09 PM

Then I'm afraid there are no other options. The traffic you don't want to be reaching your server has to be stopped before it even reaches your server/network.

A PHP script will not help you with that since it will be hitting that PHP script and still cause "load" on your server. Then you have to figure out the patterns of those bots and make rules in the PHP script that block these requests.

Paul M

01-10-2017, 07:37 PM

Not entirely sure
The might I suggest you stop worrying about a problem you dont have. ;)

but sometimes my sites are kind of slow, despite having enough power to deal with the traffic
Which seems contradictory, but many things can make a site seem slow at times, many having nothing to do with the site itself.

You seem to be inventing an issue where you have no actual proof there is a problem.