HTTP GET/POST FLOOD attacks?

[phil_s]

Hey there, 

A friend's server (php, to be exact) is now going down rather frequently (still irregular but almost every week), and I am trying to get to the bottom of it.
It's a serverpilot configured small to middle tier DO Ubuntu server, running php 7 on nginx, https only, (with a letsencrypt certificate added manually by me, not via serverpilot)
When looking through the various log files I found a couple of things I couldn't place, can you guys make anything of this?

This happens multiple times a day (form different IPs) and goes on for 40-50 pings:

200.8.223.47 - - [07/Mar/2017:01:02:27 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:03:13 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:03:59 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:04:45 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:05:32 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:06:19 +0100] "POST / HTTP/1.0" 301 229
200.8.223.47 - - [07/Mar/2017:01:07:05 +0100] "POST / HTTP/1.0" 301 229
....

Is this suspicious? (nobody was editing the site at this time)

 

And these here come in 2-10 sec intervals, usually in 2-3 minute bursts, from different IPs, sometimes multiple times a day, sometimes followed by 30-40 "POST" commands

86.106.157.213 - - [06/Mar/2017:16:40:53 +0100] "GET /wp-login.php HTTP/1.0" 301 245
86.106.157.213 - - [06/Mar/2017:16:40:58 +0100] "GET /wp-login.php HTTP/1.0" 301 245
86.106.157.213 - - [06/Mar/2017:16:41:03 +0100] "GET / HTTP/1.0" 301 233

While this should by no means get the server to it's knees (or should it?) this is not normal, right?

Cheers folks!
 

[godmok]

Looks like an attack on a WordPress site with a small wave.

Maybe this is an interesting read for it: https://perishablepress.com/protect-post-requests/

[phil_s]

  On 3/7/2017 at 2:30 PM, godmok said:

Looks like an attack on a WordPress site with a small wave.

Maybe this is an interesting read for it: https://perishablepress.com/protect-post-requests/

Expand  

Exactly what I needed... have only been cross-reading but: very interesting article with lots of hands on information, thanks a bunch!

 

[Zeka]

Hi @phil_s

Also check this blog post from Ryan

Filtering out common WordPress files

[phil_s]

Thanks again guys,

Just a quick update for anybody else who might run into this. Simply filtering out these:

RewriteCond %{REQUEST_URI} !\.(cgi|pl|asp|rar|zip)$ [NC]
RewriteCond %{REQUEST_URI} !wp-.*\.php$ [NC]

...took care of my problems. (No more crashes too)

Cheers!