Support > About independent server > How to handle server public network traffic exceeding the limit?
How to handle server public network traffic exceeding the limit?
Time : 2025-11-27 16:40:28
Edit : Jtti

  During server operation, whether it's a website, API, download service, live streaming, CDN origin pull, or backend synchronization interface, any interaction with the external network will inevitably generate public network traffic. When business grows, abnormal access increases, malicious scanning occurs frequently, or the application architecture is poorly designed, server public network traffic can easily exceed limits, leading to additional costs, service restrictions, or even IP blocking. Many users only realize the problem when they see the bill or receive alerts, by which time significant irreversible damage may have already occurred.

  The most common reasons for exceeding server public network traffic limits fall into four categories: underestimating bandwidth demand due to normal business growth; lack of caching for static resources or downloaded files; suffering from malicious traffic, API spamming, DDoS attacks, etc.; and backend program design involving numerous external API calls, synchronization scripts, or log uploads. These seemingly different situations all stem from an abnormal increase in public network egress data volume. Especially on cloud servers with traffic-based or fixed-quota billing, exceeding limits often translates to exponentially increased billing pressure. Failure to assess the problem promptly will exacerbate the damage.

  The first step in handling public network traffic limits is to quickly locate the source of the traffic. You can use the following common tools to view real-time traffic and source IPs:

iftop -nNP

  This command clearly displays the direction of external network connections, IP addresses, ports, and real-time bandwidth usage. If you find that certain unfamiliar IPs are continuously connecting and downloading resources in large quantities or constantly accessing a certain interface, it is likely abnormal traffic. Use it in conjunction with netstat and system logs for further analysis.

netstat -anp | grep ESTABLISHED
journalctl -u nginx

  You can further use nginx or apache access logs to pinpoint whether a specific URL has been flooded with fake access:

tail -f /var/log/nginx/access.log

  In the logs, pay close attention to the status code, access frequency, and whether the User-Agent is abnormal. If you see a large number of repeated requests concentrated on a certain URL, and the source IPs are randomly distributed, it's almost certain that malicious traffic is causing the traffic limit to exceed the limit.

  After understanding the problem, the second step is to quickly implement rate limiting, blocking, and protective measures. The simplest method is to use a firewall to block abnormal IPs:

iptables -A INPUT -s 1.2.3.4 -j DROP

  Or directly restrict access to specific ports:

iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 1 --hitcount 100 -j DROP

  In addition, Fail2ban can be used to automatically block malicious IPs that repeatedly attempt to access the site. For website-based businesses, adding rate-limiting policies through Nginx is also a very effective method, for example:

limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

server {
    location /api/ {
        limit_req zone=mylimit;
    }
}

  These rules can significantly reduce sudden surges in bandwidth consumption caused by malicious traffic without impacting the normal user experience.

  If the server experiences traffic overload due to normal business growth such as large downloads or video file reads, it's necessary to optimize the traffic path from an architectural perspective to reduce pressure on the server's public network egress. The most common approach is to introduce a CDN, so that visitors no longer directly request the server, but instead prioritize receiving cached content from CDN edge nodes. The higher the CDN's hit rate for static resources, the lower the server's egress traffic. Websites that don't use a CDN typically route all static resources through the origin server, and even if the peak access time is only one hour, it can still consume a large amount of public network bandwidth during that period.

  If the business relies entirely on APIs or dynamic content, duplicate requests can be reduced through interface-level caching, database query caching, reverse proxy caching, and appropriate KeepAlive settings. For example, enabling FastCGI caching in Nginx can reduce backend load and also reduce some invalid traffic.

fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=fcache:10m inactive=60m;
fastcgi_cache fcache;
fastcgi_cache_valid 200 301 302 10m;

  For backend applications with a large number of external calls, it's also necessary to check for issues such as circular calls, improperly configured error retry mechanisms, and excessively short request intervals. For example, some scheduled synchronization scripts might retry indefinitely due to exceptions, generating a large amount of outbound traffic in a short period. These issues can be resolved by optimizing the logic, rather than simply paying for increased traffic.

  If the public network traffic exceeding limits is due to attacks or scanning, it's recommended to enable higher levels of protection, such as anti-DDoS protection services provided by cloud providers, CDN security protection, configuring WAF, and enabling Geo restrictions. For example, foreign trade servers can directly restrict domestic traffic; for domestic servers, if the business only targets mainland China, overseas access can be blocked to avoid meaningless scanning and wasted traffic.

  After stabilizing the issues, fundamental traffic compression and acceleration strategies need to be considered. Enabling Gzip and Brotli compression can significantly reduce the size of returned data; enabling WebP format for images can also reduce traffic consumption. For large resources, object storage such as OSS and COS can be used to avoid having the server directly handle large file transfers. For video and audio services, using dedicated streaming acceleration or distribution networks can reduce server outbound pressure at the source.

  A robust monitoring mechanism is crucial for long-term operation. Without monitoring, users often only discover problems when traffic has already exceeded limits. Common monitoring tools such as vnStat can record daily, weekly, and monthly traffic data in real time.

vnstat -d
vnstat -m

  By integrating with professional monitoring systems such as Prometheus, Grafana, and Zabbix, real-time alerts can be issued for abnormal traffic. Monitoring not only allows users to detect problems early but also enables capacity planning based on access patterns, preventing cost spikes due to sudden peaks.

  From a cost perspective, rationally planning billing methods is also crucial. Many cloud vendors support different methods such as bandwidth-based billing, traffic-based billing, and outbound traffic billing. If business access volume is stable and peak volumes are small, fixed bandwidth is more cost-effective; if the access region has a complex user base, large traffic fluctuations, and occasional peaks, traffic-based billing is more flexible; if the resources are primarily static, combining CDN and object storage yields the best results. Choosing the appropriate billing model can often reduce long-term costs by more than 20%.

  For enterprise users, controlling public network traffic at the architectural design level is also essential. For example, after introducing microservices, communication between services should ideally use the internal network; APIs that don't need to be publicly exposed should be avoided; development environments should not directly occupy public network exits; batch synchronization tasks should ideally use dedicated lines or private networks. This not only reduces public network traffic but also significantly improves security.

  Once all investigations are complete, the cause of public network traffic exceeding limits is usually identified, and normal operation can be quickly restored. Regardless of whether the issue stems from malicious attacks, business growth, an inefficient architecture, or misconfiguration, the core principle is to first pinpoint the source of the traffic and then develop the most suitable optimization strategy. Over the long term, proper network structure planning, enabling caching, protection, compression, and monitoring can allow servers to handle more traffic without increasing costs.

Relevant contents

How to troubleshoot memory fluctuation issues on Japanese servers? How to identify malicious source IPs when Hong Kong server traffic is being consumed in large quantities every day? Why is the access speed of Japanese servers still slow even after the bandwidth has been upgraded? Efficiency optimization techniques for cross-border routing: Core strategies for preventing network congestion during peak hours Is slow website image loading related to insufficient server bandwidth? What are the scenarios for renting 1Gbps international high-bandwidth servers? Sudden DDoS Attacks on Hong Kong Servers: Log and Firewall Response Methods Troubleshooting solutions for Hong Kong server IPv6 port mapping failure Nginx logs fill up the hard drive: a quick location and automatic cleanup solution How to Choose an E-commerce Server CPU? From Traditional Processors to Cloud Instances
Go back

24/7/365 support.We work when you work

Support

JT TELECOM INTERNATIONAL PTE.LTD
Global Network Infrastructure Service Provider

Pre-sales consultation JTTI-Defl JTTI-Coco JTTI-Selina JTTI-Ellis JTTI-Eom JTTI-Jean JTTI-Amano Technical Support JTTI-Noc