0

I apologize in advance if this question is in a wrong forum, this is my first question here!

My client has hosting with Aliyun Cloud (Alibaba Cloud in China). I've deployed a microsite to their servers, which has following structure:

microsite.com -> CDN1 -> SLB -> 2x ECS -> DB ECS

oss.microsite.com -> CDN2 -> OSS

ECS instances under SLB have sticky sessions and serve only HTML response. All other files (js, css etc) are served from OSS domain. These instances also use database to store sessions data (eg. user IP address, timestamp of last activity etc.)

After 3 weeks, database instance ran out of 40GB of storage space. When I looked into it, I saw 23 million session entries.

ECS instances are under constant 100-150 concurrent connections, day and night, 24/7, although actual users (we use GA for tracking) is maybe 10-15 per day (campaign hasn't started yet).

I am baffled as client IT says this is "normal" and not an "attack" cause it would be "much more severe". They have no explanation from where this traffic comes from. I can see however in access log (tail -f access.log) a constant flow of requests.

These are always there, day and night, whenever I SSH in. GA is empty, except when I open the microsite or someone from client side (as link wasn't pushed to media yet).

Anyone has any advice what this is? It seems to me some attempt to run server out of resources, or some unsuccessful DDoS. But because it is still in 100-200 concurrent connections, no firewall / security rule is activated by Aliyun. I don't have access to Aliyun console, only can SSH into servers.

I simply can't believe this is "normal". On CloudFlare I had options for bots protection, javascript challenge etc. Aliyun seems to have nothing. Or they simply don't care.

Some technical info:

All ECS instances are on Ubuntu 20.04. Web service is Apache2, with PHP7.4 and PHP7.4-FPM running. Database instance has MySQL8. Database instance only allows connections from web server instances, and those allow HTTP connection only from SLB (Server Load Balancer, equivalent to Elastic Load Balancer on AWS). This means that all traffic still has to come through SLB to instances under it.

Has anyone experienced anything like this? How can I protect my backend from it if they are unable to do it?

2
  • @AdminBee thank you for letting me know, I wasn't aware of the rule. Screenshot removed! Commented Sep 7, 2021 at 7:32
  • Well, there is no "ban" on screenshots in the strict sense; only if you can avoid screenshots, you should copy-and-paste the intended console output or file content into the question as text instead, for the reasons I mentioned :) Commented Sep 7, 2021 at 7:34

1 Answer 1

1

OK we found out what was the issue, just so I close the question as there was no DDoS or any attack:

Client IT has set their load balancer to, literarily, machinegun server instances, and all the traffic I saw in the access log was actually - health check.

Now when they set it to some reasonable 2-3min per check, it's gone.

Sorry to trouble you all.

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.