General help

Robot Attacks

Picture of Chris Meyer
Robot Attacks

Hi Great Moodle Team,

We've been suffering from what I think must be spider/bot attacks.  I'll find apache/httpd processes in TOP running in the upper 90's or 100% CPU.  Under normal conditions I never see anything like such high usage. After a while, these processes grind the server to a halt.  If I just kill the processes, everything runs great - til they come back.  It was beginning to be an every day occurance.

I did the usual robots.txt file, but it requires maintenance and not everyone respects it.

Soooo... I set up a routine in cron that runs every coupe of minutes and pipes a 'top' output to a php script that looks for apache/httpd processes over 90% and kills them and logs the event.

Been running great ever since smile Chris

Average of ratings: -
James Richardson
Re: Robot Attacks

Hello Chris!

I've seen this happen to many websites and its a shame. Most common is a DDOS attack from a particular IP address. There are steps you can take to pinpoint the exact cause of the server load to stop the malicious bot/script attacking your Moodle site.

If you run a cron job to find the 90% or over, you may miss the problematic issue between the times the cron job is not running. If you use TOP in batch mode while the server is going on the high load, you can determine exactly what is causing the spike. Please see this link for more information on how to  Run top in batch mode and log activity.

The following steps will explain how to check whats causing the load. Unfortunately the topic is deep so I cant place all the steps here. I linked to the information for each step.

  1. Determine cause of server usage spike
  2. Review recent website requests
  3. Block unwanted users from your site using .htaccess

If you can pin point the cause of the load spike, you can block the offending visitor. 

Best Regards,

James R



Average of ratings: -