Every couple of weeks we have an issue whereby a single IP address opens a huge number of of Apache processes at the same time.
It seems to connect to similar pages each time, but our Apache processes goes from the normal ~20-25 busy slots to our max (256).
This IP address then refreshes all the requests relentlessly, taking the load on our server way up and slowing down the site dramatically.
The solution in each instance is simple; I find out the IP from Apache "server status" and block the IP using an IP tables rule.
Unfortunately the IP address changes each time (it's always similar & when I lookup host says "bt openworld"), and I'm not available 24/7 to login and add an IP tables rule.
To be clear, we handle crawls from Google and other search ehgines without issue, I'm not sure whether what we are experiencing is malicious or not.
How can I limit the effect that this has?
Our setup is a single server handling both MySQL and Apache.
I have been advised that a load balancer is the only way to rate-limit the number of connections from single (but changing per attack) IP addresses.
maybe something like this will help. it will block any hosts, that open more than 150 connections within 2 minutes (180 seconds):
you have to tune the script, so that normal users will never get blocked
Well you can use some iptables rules to limit the number of concurrent connections.
The other solution would be to optimize your application so that they are handled faster using less resources.