Score:0

EC2 instance experience massive inbound traffic spikes. Apache logs show normal usage

ar flag
Ron

I need some direction in figuring out what's going on here.

I have an EC2 instance that is running a WordPress site. Inbound traffic on the instance is spiking to alarming levels which are not consistent with the usage of the website. Outbound traffic is relatively normal.

This slows down the website and

Apache logs do not reflect the traffic that is hitting the server. There is nothing out of the ordinary in the logs, except for many 'Internal dummy connections' which are spawned by the server, and which, according to my reading' are nothing to worry about.

WordFence (WordPress security plugin) shows nothing out of the ordinary either. So I'm doubtful that it is an attack of some sort.

What steps can I take to learn the source and content of the traffic that is hitting my EC2 instance?

(Sorry if this is a vague question. I'm not an EC2 expert, and this is all the information I have).


UPDATE: Current suspicion is that it is a DOS attack.

Paul avatar
cn flag
Is it with perfect regularity? WordPress does have its "cron" script, or something I think it's called.
ar flag
Ron
@Paul. It's consistent, but not regular, not predictable. And WordPress crons would register as an inbound network packet, would it?
Paul avatar
cn flag
When I've configured nginx to only permit what is necessary for WordPress to run, I have to `allow <server external IP address>;` or `wp-cron.php` won't run fills `error.log`, IIRC. I just searched DDG for `wp-cron.php` and this to result article explains it more than I knew before searching. https://medium.com/@thecpanelguy/the-nightmare-that-is-wpcron-php-ae31c1d3ae30
ar flag
Ron
Thanks @Paul, However, I it's not wp-cron as calls to wp-cron.php are clearly represented in the logs and they are not excessive.
Score:1
de flag

For analyzing your inbound traffic, please check the following link:

https://docs.aws.amazon.com/wellarchitected/latest/financial-services-industry-lens/monitor-vpc-flow-logs-for-abnormal-traffic-patterns.html

If you want to be better protected against DDoS attacks you may try to use the AWS Shield service. However, the AWS Shield in advanced option is a very expensive service, but the AWS Shield Standard option could be your first choice to protect the EC2 instance. You didn't mention at what layer the attack had in place. The layer 7 protection = AWS Shield Advanced.

Score:1
ng flag

To make your life easier you would need to use a Monitoring Tool, Amazon offers CloudWatch which is a component of AWS that provides real time monitoring of AWS resources running on Amazon infrastructure it collect metrics and log. Try to go CloudWatch > Metrics > EC2 > Per Instance Metrics then try to filter by Metrics Name and see if you can figure out what has happened on your instance.

Hope this useful. Regards!

ar flag
Ron
Thanks. CloudWatch is already being used. That's how I know about the excessive inbound traffic in the first place. What I'm missing now is a way to inspect that traffic.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.