Logo Knowledge
  • Product Documentation
  • Insight
  • Developer Center
  • Training
  • Submit a Request
  • Product Documentation
  • Insight
  • Developer Center
  • Training
  • Submit a Request
  1. Acquia Support Knowledge Base
  2. Troubleshooting
  3. Common Problem

My Site is Being Attacked

    See more
    • Updated
    • October 03, 2019 19:21

    Issue

    How can I tell if my website is being attacked?

    Resolution

    There are many reasons a website can be slow. Keeping your Acquia sites performant outlines several suggestions for checking overall Drupal and server performance. If you've already tuned your website and you're still experiencing performance issues, high levels of traffic may be the cause.

    If you're an Acquia customer, and you expect a high traffic event, you can create an Acquia Support ticket. Include as much information as possible about the website, date and time for the event, and expected amount of traffic.

    Note

    Acquia Cloud Enterprise and Acquia Cloud Site Factory customers may want to consider Acquia Cloud Edge. The Acquia Cloud Edge Protect product can help protect against DoS (denial of service) or DDoS (distributed denial of service) attacks.

    If you're experiencing an unexpected high-traffic event, the cause could be a DoS or DDoS attack or a scan by a bot or crawler. These will generally look like repeated requests against one or more ports or URLs on your server, by one or a group of IP addresses.

    How to find a scan

    The most obvious place to find repeated requests to a particular part of your website or server is to check the Apache access.log. This file generally records every attempt to access a file or path for the website. See Searching the error logs to troubleshoot problems for suggestions on finding errors and traffic trends.

    Specific things to look for

    Two of the biggest indicators that a scan or attack is happening, from the perspective of the access.log, are repeated requests to the same URL, or repeated login attempts (potentially indicating a hack attempt).

    A brute force attack against a Drupal user or other URL might look something like this:

    /user/password?name=abcdefghij 
    /user/password?name=abcdefghijk 
    /user/password?name=abcdefghijkl 
    /user/password?name=abcdefghijklm 

    If you suspect a bot or a small group of IP addresses is the primary vector of the attack, you can try to determine what IPs are making the most requests. You can use the code below, at the command line, to search for the forwarded-for header, and see what addresses are listed. Replace the date with the date of the log file you want to search.

    grep "05/Dec/2019:02:1" access.log | egrep -o "forwarded_for\S*" | sort | uniq -c | sort -nr | head 

    Mitigating the attack

    There are several methods that you can use to mitigate an attack. You may choose one or more methods, depending on how your website is being accessed.

    • Use Acquia Cloud Edge Protect

      Acquia Cloud Edge Protect secures your website with a Web Application Firewall (WAF), high-speed DNS, and protection against DoS and DDOS attacks. Acquia Cloud Edge CDN provides services that can help your website stay up during an attack.

    • Denying spammers

      If someone is attempting brute force registrations or comments, CAPTCHA solutions and alternatives can be a deterrent.

    • Speed up 404 responses

      If someone is attempting to bypass the Varnish cache or otherwise access random URLs, Drupal will bootstrap on every attempt. Use Fast 404 to circumvent a complete bootstrap.

    • Password protect non-production websites

      To prevent attacks on non-production websites, you should password-protect them. Non-production websites may be more vulnerable to attack, due to their very nature of constantly changing (and not necessarily security-tested) code.

    • Use caching

      Caching can significantly increase website performance, and help give a website administrator enough time to put other mitigations in place before an outage occurs. To learn more about caching, see the caching overview, and for large websites, consider using a content delivery network (CDN).

    • Deny access

      You can use the .htaccess file and rewrite rules to block access to paths, or to block access from particular addresses to your website. There are various ways to restrict access.

    If you are an Acquia customer, and you suspect your website is under inappropriate load, you can also contact Acquia support to obtain troubleshooting assistance.

    Acquia Products

    • Acquia Cloud Edge

    Topics

    • security
    • ddos

    External Links

    • Searching the error logs to troubleshoot problems
    • Introduction to .htaccess rewrite rules
    • Website Access Restriction Methods
    • My site is hacked
    Avatar
    Hannah Miller
    • October 03, 2019 19:21
    • Updated
    • Facebook
    • Twitter
    • LinkedIn

    Was this article helpful?
    3 out of 3 found this helpful

    Return to top

    Related articles

    • Block Access to Bad Bots coming from the Huawei Cloud
    • Website access restriction methods
    • Blocking access using rewrites
    • Analyzing Your Traffic
    • Block unwanted IP addresses from accessing your site

    Support

    Acquia Support Knowledge Base
    • Submit a Request
    • Contact Support
    • Acquia Support Guide
    • Product Documentation
    • System Status

    About Acquia

    • About Us
    • Leadership
    • Board of directors
    • Newsroom
    • Careers
    • Customers
    • Contact Us
    53 State Street, 10th Floor
    Boston, MA 02109
    United States
    Phone: 888-922-7842
    Map: Google Maps
    View other locations
    • Feeds
    • Legal
    • Security Issue?

    Copyright © 2018 Acquia Inc. All Rights Reserved. Drupal is a registered trademark of Dries Buytaert.