hello I would like to know how to handle certain heavy hitting IP once in a while I look at the awstats logs and find some abnormally heavy hitting IPs for example ip68-231-211-53.oc.oc.cox.net 81 921 82 470 52.79 Mo 10 Jan 2017 - 07:48 c-5eeaaa91-74736162.cust.telenor.se 59 983 61 441 107.82 Mo 10 Jan 2017 - 03:41 Code (markup): Not only the page views are abnormally high for a single individual but the page/hit ratio is also abnormal I don't think it is a ddos attack because I have ddos protection, I assume this activity is the result of some kind of script, not sure if malicious or not I have two questions : 1. should I ban these IP 2. is there a way to automatically detect this kind of activity and ban the offenders?
How much ddos protection you have? If you see thousend of those hits then is a amplification attack. Those are spoofed ips so you cant ban them. Voxility can handle thise attacks better as any other provider.
No idea about the anti ddos settings, but I did get a ddos blocked notification once, it was a bruteforce attack on a freshly installed webmin control panel. I'm pretty sure this isn't a ddos attack after inspecting the activity of these IPs the offenders were actually loading pages, so most likely crawlers I would like to block that kind of script activity though, I get no benefit from it, it slows down the sites and decreases legit traffic and ad revenues There isn't stock softwares that could automatically detect these abnormal activities and ban the offenders ? of course there should be an exception for search engines which are beneficial