Help figure out what is causing high usage

Posted January 28, 2021 275 views
SecurityData Analysis

I’ve got one particular droplet which hosts downloadable content to paid members.

However, there is often the case where several of the DO alerts are triggered (and the threshold is set pretty high). However, I am unable to determine if this is legitimate usage or some form of attack.

I’ve got Google Analytics on the site, but that doesn’t help (the highest users in the past 90 days is 22).
It has geolocation, but whenever I’ve checked the days, they’ve been inconsistent (sometimes UK, sometimes US, once South Korea).

I had the alerts triggered this morning, and according to analytics, I had one user, who accessed the site hours before it happened.

It generally happens roughly 5-7AM GMT, but not all the time.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Hi there,

If you are using a webserver like Nginx or Apache, what I could suggest is using this script here to summarize your access lots:

Quick access logs summary

This is a BASH script which will quickly summarize your access logs and provide you with very useful information like:

  • Top 20 POST requests
  • Top 20 GET requests
  • Top 20 IP logs and their geo-location

It should help you determine if the top post and get requests are legitimate or not.

Let me know how it goes!