Many people deploy their businesses to Japanese cloud servers, usually because of their low latency, stable lines, and friendly international access. However, a common and troublesome problem in actual use is the sudden and abnormal surge in traffic. Some users even experience: traffic spikes of tens of gigabytes overnight, abnormally increased bills, bandwidth being fully utilized, and websites becoming slow or inaccessible. Even more troublesome is that many people have no idea how the traffic "went missing." This article systematically explains the causes of abnormal traffic on Japanese cloud servers from multiple perspectives, and how to troubleshoot and resolve them step by step.
First, let's understand: What exactly is abnormal traffic? Many people's first reaction is "being attacked," but in reality, abnormal traffic does not equal an attack. Common scenarios include: a surge in outbound traffic, abnormal inbound traffic, continuously full bandwidth, and a sudden sharp increase in the traffic curve. The key is to distinguish between normal business growth and abnormal traffic.
The most common cause #1: Being scanned or attacked
Japanese servers are international network nodes, making them easy targets for scanning tools. Common attacks or scans include: port scanning, web vulnerability scanning, brute-force login attacks, HTTP Flood/CC attacks, etc. These behaviors generate a large number of requests and consume bandwidth.
Typical signs: a large number of abnormal IPs in access.log, messy request paths (/phpmyadmin, /wp-login.php, etc.), and abnormal User-Agent.
Even if not "crashed," it will still consume a lot of bandwidth.
Most easily overlooked: Website hotlinking
If your website has images, videos, and downloadable resources, but hasn't implemented hotlink protection, it's very likely that others will "freeload" on it. For example, other websites might directly use your images, resource sites might steal your download links, and videos might be played through external links—all these visits will count as your traffic.
Characteristics: Continuously and steadily increasing traffic, wide distribution of source IPs, Referer showing unfamiliar websites. Many website owners experience a traffic explosion, which is actually caused by hotlinking.
Program issues causing traffic surges
Some abnormal traffic is actually due to "problems with your own code."
Common Situations:
1. Infinite Request Loop: Front-end JS continuously requests the API, resulting in repeated API calls.
2. Unrestricted API: No frequency limits, leading to excessive access by web crawlers.
3. Infinite Retry Mechanism: Requests are retried indefinitely after failure.
Symptoms: An abnormally high number of requests to a particular API, with extremely high request frequency from the same IP address. If this issue is not addressed, bandwidth consumption will continue to increase.
Hidden Traffic Caused by Logs or Backups
Many people only focus on web traffic, but internal system traffic also consumes bandwidth. For example, logs are synchronized to remote servers, automatic backups are uploaded (e.g., OSS, S3), and databases are synchronized. If configured incorrectly, such as backing up every minute, logs will grow infinitely and be uploaded in real time, resulting in extremely high outbound traffic.
Server Intrusion (High-Risk Situation)
If your server security is inadequate, abnormal traffic is almost inevitable after an intrusion. This is the most serious situation and must be investigated first.
Common Behaviors: Used to run proxy nodes, install Trojan downloaders, participate in DDoS attacks, and download and update malicious programs.
Symptoms: Abnormal CPU usage, consistently high outbound traffic, and the presence of unknown processes.
CDN Origin Server Anomalies
If you are using a CDN but it is improperly configured, it can also cause abnormal traffic. For example, CDN cache misses (frequent origin server requests), cache time settings that are too short, and dynamic resources not being cached.
Results: Every request hits the origin server, traffic to the Japanese server surges, it looks like a CDN is being used, but it's actually not working.
How to Troubleshoot Step by Step?
When encountering abnormal traffic, don't panic, check in order.
1. Check real-time traffic.
iftop
nload
vnstatSee who is consuming bandwidth.
2. Analyze web logs.
tail -f access.logKey points to note: Most frequently accessed IP address, request path, User-Agent
3. Check connection status
netstat -anp | grep ESTABLISHED4. Check for any abnormal connections.
top
ps auxCheck if any abnormal programs are running.
5. Check scheduled tasks
crontab -lCheck for any abnormal tasks.
In summary: Abnormal traffic on Japanese cloud servers is not a single issue, but rather the result of multiple factors. The truly effective approach is not to "guess the cause," but to use tools to systematically investigate and optimize accordingly. Once you understand the logs, connections, and processes, you can pinpoint 90% of traffic problems.
