If you're noticing hundreds of GET requests in your logs, it's important to understand that this does not necessarily indicate a DDoS (Distributed Denial of Service) attack. Here's why:
When a legitimate visitor or bot accesses your website, they aren't just making a single GET request for the main page. Instead, the browser or bot makes multiple GET requests to load all the resources needed to display the page properly. These requests typically include:
- HTML files (the main page content)
- CSS files (for page styling)
- JavaScript files (for functionality and interactivity)
- Images (such as logos, banners, etc.)
- Fonts (if custom fonts are used)
- External libraries or third-party resources
Each of these files must be fetched from the server individually, which is why it’s completely normal for one visitor to generate dozens, or even hundreds, of GET requests, depending on the complexity of the page. This behavior is a standard part of how web browsers work.
This does not mean you are under a DDoS attack. A DDoS attack typically involves overwhelming your server with traffic from multiple sources at once, causing resource exhaustion. In contrast, high numbers of GET requests from a single visitor are part of normal web operation, especially for resource-heavy pages.
cPFence DDoS Protection
The cPFence DDoS module is designed to protect your server against such attacks. It uses IPTables to automatically block any IP address that exceeds 100 concurrent connections. Since IPTables is managed directly by the kernel and the operating system, this limit is enforced at a low level, ensuring that no IP can bypass this restriction.
Whitelisted IPs, such as those from trusted services like Cloudflare, CDNs, or any other IPs you manually whitelist, are exceptions to this rule. This system is highly accurate and strict, ensuring that your server is protected against potential DDoS threats while allowing legitimate traffic to pass through. You can rest assured that the system is working properly and keeping your server safe.
What If I'm Getting Overwhelmed by IPs but Still Under 100 Concurrent Connections?
If you are noticing that multiple IPs are overwhelming your server but not reaching the 100 concurrent connection limit, you can identify and block these IPs manually. To find which IPs are making the most requests, use the following command:
tail -n 50000 /var/local/enhance/webserver_logs/*.log | grep -E '"[^"]*" "[^"]*" "[A-Z]+ [^"]*" "[^"]*" "[^"]*" "[^"]*" "[^"]*" "[^"]*"' | awk '{print $1}' | sort | uniq -c | sort -nr
This command will:
- Look at the last 50,000 lines of your web server logs.
- Extract the IP addresses from those requests.
- Sort and count the number of requests per IP address.
You can then review the IPs at the top of the list to see if any are making an unusually high number of requests. Be sure to carefully check the source of the IP to confirm if it's legitimate or suspicious.
To block any suspicious IPs, you can use the following command:
cpfence --add-blacklist-ip IP
Why Doesn't cPFence Block These IPs Automatically?
cPFence doesn't automatically block these IPs because it could cause a large number of false positives. Automated blocking for IPs with less than 100 connections could prevent legitimate traffic from accessing your site, especially if the IPs are associated with services like search engines, content delivery networks (CDNs), or even legitimate users. This manual review process ensures that only truly malicious IPs are blocked, and a qualified server admin can make the final decision on whether an IP should be blocked or not.
By following this procedure, you can fine-tune your server's protection while ensuring that legitimate traffic continues to flow smoothly.