Issue
How can I tell if my website is being attacked?
Resolution
There are many reasons a website can be slow. Keeping your Acquia sites performant outlines several suggestions for checking overall Drupal and server performance. If you've already tuned your website and you're still experiencing performance issues, high levels of traffic may be the cause.
If you're an Acquia customer, and you expect a high traffic event, you can create an Acquia Support ticket. Include as much information as possible about the website, date and time for the event, and expected amount of traffic.
If you're experiencing an unexpected high-traffic event, the cause could be a DDoS (distributed denial of service) attack or a scan by a bot or crawler. These will generally look like repeated requests against one or more ports or URLs on your server, by one or a group of IP addresses.
How to find a scan
The most obvious place to find repeated requests to a particular part of your website or server is to check the Apache access.log. This file generally records every attempt to access a file or path for the website. See Searching the error logs to troubleshoot problems for suggestions on finding errors and traffic trends.
Specific things to look for
Two of the biggest indicators that a scan or attack is happening, from the perspective of the access.log, are repeated requests to the same URL, or repeated login attempts (potentially indicating a hack attempt).
A brute force attack against a Drupal user or other URL might look something like this:
/user/password?name=abcdefghij
/user/password?name=abcdefghijk
/user/password?name=abcdefghijkl
/user/password?name=abcdefghijklm
If you suspect a bot or a small group of IP addresses is the primary vector of the attack, you can try to determine what IPs are making the most requests. You can use the code below, at the command line, to search for the forwarded-for header, and see what addresses are listed. Replace the date with the date of the log file you want to search.
grep "05/Dec/2019:02:1" access.log | egrep -o "forwarded_for\S*" | sort | uniq -c | sort -nr | head
Mitigating the attack
There are several methods that you can use to mitigate an attack. You may choose one or more methods, depending on how your website is being accessed.
- Use Acquia Cloud Edge Protect
Acquia Cloud Edge Protect secures your website with a Web Application Firewall (WAF), high-speed DNS, and protection against distributed denial of service (DDOS) attacks. Acquia Cloud Edge CDN provides services that can help your website stay up during an attack.
- Denying spammers
If someone is attempting brute force registrations or comments, CAPTCHA solutions and alternatives can be a deterrent.
- Speed up 404 responses
If someone is attempting to bypass the Varnish cache or otherwise access random URLs, Drupal will bootstrap on every attempt. Use Fast 404 to circumvent a complete bootstrap.
- Password protect non-production websites
To prevent attacks on non-production websites, you should password-protect them. Non-production websites may be more vulnerable to attack, due to their very nature of constantly changing (and not necessarily security-tested) code.
- Use caching
Caching can significantly increase website performance, and help give a website administrator enough time to put other mitigations in place before an outage occurs. To learn more about caching, see the caching overview, and for large websites, consider using a content delivery network (CDN).
- Deny access
You can use the
.htaccessfile and rewrite rules to block access to paths, or to block access from particular addresses to your website. There are various ways to restrict access.
If you are an Acquia customer, and you suspect your website is under inappropriate load, you can also contact Acquia support to obtain troubleshooting assistance.