Question Strange apache access log and server load

[Aristeidis Vlachopanos]

Hello in one of our domains’ apache’s access_ssl_log I found something that, at least to me, seems strange. The log is from 21/Jul/2025:06:34:20 to 22/Jul/2025:06:29:03 and has 715’758 lines which translate to 468’502 unique IPs. I did a basic count of IP occurrences and found that only 47’581 IPs appear more than 1 time while 420’941 IPs do one random page hit and then disappear. This does not look like bot behavior. Does anybody have any idea what it is and how to stop it since it greatly effects the server’s load.

 

[Kaspar]

That does sound like DDoS behavior. Out of curiosity, did you check the origin of (some of) the IP's to see where they originate and to which provider they belong? For example with help of the abuseIPDB (or any other IP database). That should help you determine whether these IP (probably) belong to bots and crawlers.

 

[Aristeidis Vlachopanos]

Thank you for your reply.

I looked some of the IPs in the database you proposed and most of them are from the USA, from various ISPs and are not listed as bad. The specific e-shop sells globally so I cannot exclude whole countries.

I looked in the logs again and found that all these requests are hitting complex filter URLs that in most cases have no products listed. i.e.
“GET /product-category/jewellery/?filter_color=grey&filter_stones=aqua-marine%2Clight-champagne-zirconia&query_type_color=or&query_type_stones=or HTTP/1.0”

Also there is no referrer but the browser version seems legit.

How can I prevent such attacks? At what level (Hetzner, apache, plesk, cloudflare)? Banning the IPs is after the fact, it is not preventative and may have unwanted results based on the number of the IPs.