Question Strange apache access log and server load

[Aristeidis Vlachopanos]

Hello in one of our domains’ apache’s access_ssl_log I found something that, at least to me, seems strange. The log is from 21/Jul/2025:06:34:20 to 22/Jul/2025:06:29:03 and has 715’758 lines which translate to 468’502 unique IPs. I did a basic count of IP occurrences and found that only 47’581 IPs appear more than 1 time while 420’941 IPs do one random page hit and then disappear. This does not look like bot behavior. Does anybody have any idea what it is and how to stop it since it greatly effects the server’s load.

 

[Kaspar]

That does sound like DDoS behavior. Out of curiosity, did you check the origin of (some of) the IP's to see where they originate and to which provider they belong? For example with help of the abuseIPDB (or any other IP database). That should help you determine whether these IP (probably) belong to bots and crawlers.

 

[Aristeidis Vlachopanos]

Thank you for your reply.

I looked some of the IPs in the database you proposed and most of them are from the USA, from various ISPs and are not listed as bad. The specific e-shop sells globally so I cannot exclude whole countries.

I looked in the logs again and found that all these requests are hitting complex filter URLs that in most cases have no products listed. i.e.
“GET /product-category/jewellery/?filter_color=grey&filter_stones=aqua-marine%2Clight-champagne-zirconia&query_type_color=or&query_type_stones=or HTTP/1.0”

Also there is no referrer but the browser version seems legit.

How can I prevent such attacks? At what level (Hetzner, apache, plesk, cloudflare)? Banning the IPs is after the fact, it is not preventative and may have unwanted results based on the number of the IPs.

 

[Sebahat.hadzhi]

@Aristeidis Vlachopanos , is that the full log entry? To me that sounds like it could also be bot traffic.

 

[Aristeidis Vlachopanos]

No that is just the GET part. Here is a full log entry (of an other line):

1.178.124.231 - - [21/Jul/2025:20:53:05 +0300] "GET /product-category/jewellery/?filter_stones=chrysocolla%2Cglass-engaving%2Clapis-lazuli&query_type_stones=or HTTP/1.0" 200 73737 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Brave Chrome/86.0.4240.183 Safari/537.36"

 

[Kaspar]

Unfortunately I am seeing an increasing number of bots try to mask their identity and activity by using user-agent strings posing as regular browsers. That being said, you can often still identify bots on either their IP or by specific traffic patterns (especially across multiple domains).

However if (most) of these requests really do originate from legitimate ISP's rather than from hosting providers or internet services (like VPN providers), it might be something else. It's hard to say really.

How can I prevent such attacks? At what level (Hetzner, apache, plesk, cloudflare)? Banning the IPs is after the fact, it is not preventative and may have unwanted results based on the number of the IPs.

Does the traffic drain your resources much? If not, you could just ignore it, otherwise I'd go with a service like Cloudflare, as I don't think there much you can do at server level to prevent these types of traffic.

 

[Aristeidis Vlachopanos]

Yes we were made aware of the issue due to resource shortage. At times the server becomes unresponsive.