Cloudflare Developers•10mo ago

website getting ddosed?

hi, my website is facing 502 http error from a very long time (6 hours), its a pterodactyl panel, and the nginx error log shows something like connect() to unix:/run/php/php8.1-fpm.sock failed (11: Resource temporarily unavailable)... the thing is we are thinking its a ddos and have also enabled waf from cloudflare and blocked every country except India yet the website is down, is it really a ddos?

54 Replies

debarghaOP•10mo ago

also this happened all of a sudden, everything was working fine

Chaika•10mo ago

To check if it's a DDoS, I would check: 1. your server's cpu usage/network 2. the overview graph in cloudflare for your site 3. Security -> Events for the number of events/requested blocked do you use Cloudflare Tunnels at all or no? Another common source of bad gateway if misconfigured

debarghaOP•10mo ago

not using tunnel, but it is proxied, thinking to tunnel it

debarghaOP•10mo ago

under attack mode is also active

Chaika•10mo ago

I would make sure they're not going around Cloudflare as well, only allow Cf IPs to ports 443/80 (assuming you're using default) also https://community.cloudflare.com/t/mitigating-an-http-ddos-attack-manually-with-cloudflare/302366

debarghaOP•10mo ago

and this is the bandwidth

debarghaOP•10mo ago

in the skip waf?

Chaika•10mo ago

no, this would be configuration on your origin https://developers.cloudflare.com/fundamentals/setup/allow-cloudflare-ip-addresses/

Allow Cloudflare IP addresses · Cloudflare Fundamentals docs

Because of how Cloudflare works, all traffic to proxied DNS records pass through Cloudflare before reaching your origin server. This means that your …

Chaika•10mo ago

that's way more use then Cloudflare shows. I assume you're running actual gameservers on that machine too, right?

debarghaOP•10mo ago

yes, currently only minecraft okay let me check

debarghaOP•10mo ago

do i have to follow these for each of the ips in the list?

Chaika•10mo ago

if you use a specific firewall already like ufw there's scripts out there as well, ex; https://github.com/Paul-Reed/cloudflare-ufw

GitHub

GitHub - Paul-Reed/cloudflare-ufw: Script to update UFW with Cloudf...

Script to update UFW with Cloudflare IPs. Contribute to Paul-Reed/cloudflare-ufw development by creating an account on GitHub.

Chaika•10mo ago

just be careful to not block everything/yourself out

debarghaOP•10mo ago

i did this, also tunnelled the panel, yet its 502 this time its a little better at least the page opens and then again goes 502 and same going on

debarghaOP•10mo ago

also, is this not for free? im not able to see it

debarghaOP•10mo ago

@Chaika

Chaika•10mo ago

you only have events for free, not the graph still helpful to look over those and see if you can't identify a pattern possible on your origin as well your setup isn't optimized well/could be changed to handle requests better your description sounds like its just overloading it. Possible you have some limits you can raise, depends on your config

debarghaOP•10mo ago

btw this isnt any problem right?

Chaika•10mo ago

I'm no linux expert but I don't see anything problemsome there. It's normal and expected for those /dev/loop | snap devices to be 100% full

debarghaOP•10mo ago

ok, can u tell me a way to fix this issue completely its down for like 9 hours now NotLikeThis

the ddos seems to be out from india so I blocked every country yet its down coz the event doesnt show anything else

Chaika•10mo ago

I can't help much with the pterdaoctyl side of things, you have basically two options: Try to block more requests/identify a pattern you can block Increase origin resources/fix config to serve better

Chaika•10mo ago

If you google your error you can find some interesting info for how you can better configure your php fm pool: https://serverfault.com/questions/843460/php-fpm-sock-failed-11-resource-temporarily-unavailable-while-connecting-to-u

Server Fault

php-fpm.sock failed (11: Resource temporarily unavailable) while co...

I am stacked with following errors on my site when I test 200 hits per second. First I received 499 errors 2017-04-09 03:22:45 Error 162.158.79.219 499 GET / HTTP/1.1 0 nginx access
...

Chaika•10mo ago

https://serverfault.com/questions/867866/11-resource-temporarily-unavailable-while-connecting-to-upstream-bad-gateway

debarghaOP•10mo ago

did, still the same... i even blocked every ip except mine still not up is it even ddos at this point nvm it turned out to be a hardware issue which the vps provider didnt check properly thanks for the help

Chaika•10mo ago

there was def a spike in the request graph you showed though

Chaika•10mo ago

perhaps it just revealed the underlying issue

debarghaOP•10mo ago

but most of them was also blocked and when the ddos stopped the website still didnt come online coz i actually blocked every ip except mine lol

Chaika•10mo ago

I wouldn't be surpised if one caused the other, if the issue was heating or something, if you have never had that issue before and it started with the ddos seems too much to just be bad timing. There was posts about that issue mentioning the same, prob that either requests were stll queued or still consuming resources anyway you secured your origin as well and know how to protect yourself in the future, good thing to do anyway

debarghaOP•10mo ago

the minecraft servers were running fine too, thats what makes it more confusing maybe only error in http and not tcp ? can it happen?

Chaika•10mo ago

I don't see how that would be a hardware issue related though

debarghaOP•10mo ago

hmm, btw the nginx error logs showed like having trouble connecting to php-fpm socket the version was matching too like resource temporary unavailable

Akama Aka•10mo ago

Have you tried restarting the fpm socket? Because if the fpm is down then you will get a bad gateway error back

debarghaOP•10mo ago

yes obv i did, i even restarted the vps

Akama Aka•10mo ago

Is the socket even active?

debarghaOP•10mo ago

yes it was active like there were no errors in the status only the nginx had error connecing to the socket and my cpu was stuck at 66%

Akama Aka•10mo ago

<:0010shiba_think:938055335397191690> Try to add a secondary socket as a fallback thats how I would do it then

debarghaOP•10mo ago

how to? andd what secondary socket? like the same or some diff?

Akama Aka•10mo ago

A different one a version lower or higher

debarghaOP•10mo ago

i can use two php at th same time?

Akama Aka•10mo ago

Not the same versions but two different versions

location ~ \.php$ {
  fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
  fastcgi_intercept_errors on;
  error_page 502 = @fallback;
}

location @fallback {
  fastcgi_pass 127.0.0.1:9000;
}

location ~ \.php$ {
  fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
  fastcgi_intercept_errors on;
  error_page 502 = @fallback;
}

location @fallback {
  fastcgi_pass 127.0.0.1:9000;
}

I guess I've not tested it

debarghaOP•10mo ago

so in port 9000 some diff version is running?

Akama Aka•10mo ago

Thats your Website port or wait idk never did something like that <:AYS_WobblesLaugh:845570950212878366>

debarghaOP•10mo ago

Akama Aka•10mo ago

fastcgi_pass is just the path to your php fpm socket it can be the hostname but dont need to I guess

Akama Aka•10mo ago

But yea its possible to have multiple php sockets active as long as they are different versions

debarghaOP•10mo ago

but will the software support it?

Akama Aka•10mo ago

Idk which php versions ptero supports tbh

debarghaOP•10mo ago

doc says 8.1 support says it too

Akama Aka•10mo ago

8.1

debarghaOP•10mo ago

yes

Akama Aka•10mo ago

isnt 8.1 out of support

debarghaOP•10mo ago

uh wot idk i guess whatever

Akama Aka•10mo ago

https://www.php.net/supported-versions.php Nvmd security support is still ongoing

Gaming

Programming

website getting ddosed?