Issue¶

How can I tell if my website is being attacked?

Resolution¶

There are many reasons a website can be slow. Keeping your Acquia sites performant outlines several suggestions for checking overall Drupal and server performance. If you've already tuned your website and you're still experiencing performance issues, high levels of traffic may be the cause.

If you're an Acquia customer, and you expect a high traffic event, you can create an Acquia Support ticket. Include as much information as possible about the website, date and time for the event, and expected amount of traffic.

Note

Acquia Cloud Enterprise and Acquia Cloud Site Factory customers may want to consider Acquia Cloud Edge. The Acquia Cloud Edge Protect product can help protect against DoS (denial of service) or DDoS (distributed denial of service) attacks.

If you're experiencing an unexpected high-traffic event, the cause could be a DoS or DDoS attack or a scan by a bot or crawler. These will generally look like repeated requests against one or more ports or URLs on your server, by one or a group of IP addresses.

How to find a scan¶

The most obvious place to find repeated requests to a particular part of your website or server is to check the Apache access.log. This file generally records every attempt to access a file or path for the website. See Searching the error logs to troubleshoot problems for suggestions on finding errors and traffic trends.

Specific things to look for¶

Two of the biggest indicators that a scan or attack is happening, from the perspective of the access.log, are repeated requests to the same URL, or repeated login attempts (potentially indicating a hack attempt).

A brute force attack against a Drupal user or other URL might look something like this:

/user/password?name=abcdefghij 
/user/password?name=abcdefghijk 
/user/password?name=abcdefghijkl 
/user/password?name=abcdefghijklm 

If you suspect a bot or a small group of IP addresses is the primary vector of the attack, you can try to determine what IPs are making the most requests. You can use the code below, at the command line, to search for the forwarded-for header, and see what addresses are listed. Replace the date with the date of the log file you want to search.

grep "05/Dec/2019:02:1" access.log | egrep -o "forwarded_for\S*" | sort | uniq -c | sort -nr | head

Mitigating the attack¶

There are several methods that you can use to mitigate an attack. You may choose one or more methods, depending on how your website is being accessed.

• Use Acquia Cloud Edge Protect
  • Acquia Cloud Edge Protect secures your website with a Web Application Firewall (WAF), high-speed DNS, and protection against DoS and DDOS attacks. Acquia Cloud Edge CDN provides services that can help your website stay up during an attack.
• Denying spammers
  • If someone is attempting brute force registrations or comments, CAPTCHA solutions and alternatives can be a deterrent.
• Speed up 404 responses
  • If someone is attempting to bypass the Varnish cache or otherwise access random URLs, Drupal will bootstrap on every attempt, use Fast 404 to circumvent a complete bootstrap.
• Password protect non-production websites
  • To prevent attacks on non-production websites, you should password-protect them. Non-production websites may be more vulnerable to attack, due to their very nature of constantly changing (and not necessarily security-tested) code.
• Use caching
  • Caching can significantly increase website performance, and help give a website administrator enough time to put other mitigations in place before an outage occurs. To learn more about caching, see the caching overview, and for large websites, consider using a content delivery network (CDN).
• Deny access
  • ​​​​​​​You can use the .htaccess file and rewrite rules to block access to paths, or to block access from particular addresses to your website. There are various ways to restrict access.

If you are an Acquia customer, and you suspect your website is under inappropriate load, you can also contact Acquia support to obtain troubleshooting assistance.