Issue Very high CPU usage

[EvannG1]

Hello,

I'm coming to you because I currently have a problem on my Plesk server.

Since yesterday (08/08/21) at about 16:30, my CPU usage is extremely high :

Usually the CPU Idle is at 98% / 99% (only a dozen sites hosted), and it has suddenly dropped to an average of 0.7%.
I have restarted the server several times (Microsoft Azure server), I have also resized it (now in D4s v3).

There was a small improvement at 00:00 as I tried to shut down the Apache server and restart it.
No noticeable changes were made to the hosted sites.
Since the CPU is overloading, Plesk and all sites are crashing (err_connection_reset and err_connection_closed).

I noticed in the process list that Apache2 was present several times and consuming a lot of resources (see screenshot below).
Maybe this is the problem?

Thank you in advance for your answers!

 

[weltonw]

Could you be under a DDoS/resource exhaustion attack?

 

[EvannG1]

Could you be under a DDoS/resource exhaustion attack?

That's what I thought too, but looking through the logs I can't find anything that would appear to be DDoS

 

[elecboy]

Enable caching, try to put your domain behind CloudFlare it should fix any problems.

 

[ddmitrienko]

Hi @EvannG1,
1) Nothing was changed on the server and the performance rapidly degraded
2) According to the process list top CPU consumers are the Apache processes
These 2 facts indeed make me think you are likely under DDoS attack

Consider checking this article, it's good at narrowing down the cause of the issue:

How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server

Applicable to: Plesk for Linux Plesk for Windows Question How to diagnose a DoS/DDoS attack and find websites under attack on a Plesk server? Answer On Linux For real-time attack Conne...

support.plesk.com

If the attack is the case, blocking the source IP addresses with a firewall will be the best initial step to make things better.

 

[Ankita tech]

There are many reasons for high CPU usage and in some surprising cases. Alternatively, malware can run on your computer and suck all the processing power out of your CPU, whether that's running multiple background processes or trying to spread through your email and networks.

 

[EvannG1]

I thank you for all your answers.

After much research, I finally found the domain that gets DDoSed. I put this domain behind CloudFlare, and I also activated the "Under Attack" mode, but nothing changes, the server is still impacted. According to the stats CloudFlare gives me, the attack comes from several different sources at the same time.


Not really having any solutions, I modified the DNS records of the attacked domain so that it no longer points to the Plesk server yesterday in the late afternoon. Since then, the server is not impacted at all, but the attacked site is no longer accessible (since it does not point to anything).
Is there anything more I can do to counter this type of attack?

 

[weltonw]

There are some attacks that will slip through cloudflare unfortunately. There is definitely more to do, but it gets progressively more expensive.

You could take a look at Sucuri, or StackPath. If that doesn't work, there are other vendors, albeit (very) expensive.

 

[thei]

Hi! Just a question below is the result of my HTOP, I am thinking to add additional CPU then add additional memory usage and swp usage to prevent disk memory full error, Also is there an additional payment for adding cpu and adding memory and swp usage?

 

[Bitpalast]

Hi! Just a question below is the result of my HTOP, I am thinking to add additional CPU then add additional memory usage and swp usage to prevent disk memory full error, Also is there an additional payment for adding cpu and adding memory and swp usage?

For the Plesk licence: The price is independent from the number of CPU cores, RAM or swap space. For the server hardware: Most likely your data center will charge more for more resources.