Nginx hang and do not respond with large number of network connection in FIN_WAIT state

Peter Booth peter_booth at me.com
Fri Jan 11 04:35:10 UTC 2019


1. What does GET / return?
2. You said that nginx was configured as a reverse proxy. Is / proxied to a back-end?
3. Does GET / return the same content to different users?
4. Is the user-agent identical for these suspicious requests?


Sent from my iPhone

> On Jan 10, 2019, at 11:19 PM, gnusys <nginx-forum at forum.nginx.org> wrote:
> 
> The domain is proxied over cloudflare and the access log shows a large
> number of requests to the website from the cloudflare servers
> 
> 121115 162.158.88.4
> 121472 162.158.89.99
> 121697 162.158.90.176
> 122265 162.158.91.97
> 122969 162.158.93.113
> 125020 162.158.91.103
> 126132 162.158.90.194
> 128913 162.158.91.25
> 128980 162.158.93.89
> 
> the requests were all GET /  and the rate at which it is done mostly is
> extremely high pointing to a Layer 7 attack
> 
> We cant block the cloudflare IP's on the server as other sites (its a shared
> hosting server) may be using Cloudflare . At the moment the target IP on the
> server is blocked at the network level.Luckily the domain was using a
> dedicated IP
> 
> As I already said, Apache handles this pretty well , the only small issue I
> see is the server load getting a bit above normal and the Apache scoreboard
> getting filled up, but with Nginx the entire webstack freeze with the
> CLOSE_WAIT state and ESTABLISHED state extremely high and we can bring back
> things to normal only after disabling Nginx . Once Nginx is disabled, the
> CLOSE_WAIT and ESTABLISHED states clear off immediately too
> 
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282613,282649#msg-282649
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list