Hello, this is to share with you that I am experiencing a ddos attack for a webserver I manage.

It is a Drupal/PHP/Nginx platform that is flooded with GET requests such as: GET /es/search?f%5B0%5D=language%3Aes&f%5B1%5D=regions%3A4490&f%5B2%5D=regions%3A4511&f%5B3%5D=regions%3A4538&f%5B4%5D=regions%3A4556&f%5B5%5D=regions%3A4567&f%5B6%5D=regions%3A4593&f%5B7%5D=regions%3A4601&f%5B8%5D=regions%3A4603&f%5B9%5D=regions%3A4620&f%5B10%5D=regions%3A4631&f%5B11%5D=regions%3A4674&f%5B12%5D=type_of_content%3A4697&f%5B13%5D=type_of_content%3A4710&f%5B14%5D=type_of_content%3A4857&f%5B15%5D=type_of_content%3A4862&f%5B16%5D=type_of_content%3A4943&f%5B17%5D=type_of_content%3A6249&f%5B18%5D=type_of_content%3A6423&f%5B19%5D=wcc_programmes%3A4882&f%5B20%5D=wcc_programmes%3A4893

It targets the search module which does not cache the data and means resource impact.

This involves more than 12'000 individual ip addresses, spread over CN, IN, KO, MX, and US.

A list of the subnet part involved can be found here[0]. (list is of course gorwing over time, attack is not over and spread of hosts continue) I plan to further investigate the networks involved, how likely they are cloud nodes or infected hosts for instance.

I am on the AS3303/Swisscom BTW.

Is anyone experiencing such traffic? This is not huge in terms of bw, but scaled adequately to eat servers cpu resources.

Regards.

[0] https://www.mbuf.net/files/f/ebbc54f52b564824bf5e/