I'm experiencing what I think is a layer 7 flooding/DoS attack targeting php-fpm. The problem is that I can't seem to identify the exact attack vector. Firstly, here's a pic. Here are some things I tried to identify the source of the attack / what I know: Randomly sampled tens of IPs from the logs within the timeframe of the attack and performed some checks - whether they belong to a server/proxy, 'abnormal' country, previous visits before the attack has started etc. Nothing seemed out of the ordinary. Access log didn't seem abnormal in general, as I'm seeing 500-700 requests/min, which is average. Requests are being logged live as opposed to being buffered. Just max_children warnings in the php logs, also nothing abnormal in the slow log. No abnormal useragents, exploit-seeking urls, etc. Requests limit to php per ip didn't help Connection rate limit / max connection limit in iptables didn't help Tried some anti-flooding protections via CSF (such as CT), didn't help. Cloudflare (I'm under attack mode w/ pro plan) kind of worked, but ended up causing more issues such as ~1.5 times slower load speeds, and a, quote, "SSL error" that caused hours of downtime while I was away, so I got rid of it. Tried various settings with limit_req_zone and limit_conn_zone, didn't help, and mostly just fed 444 to innocent users on shared networks. Tried tens of different configs with nginx / fpm, didn't help - i.e., I'm almost confident that this isn't caused by bad configs. The only thing that seemingly helped at all is raising the max_children limit, but this isn't really a solution as I can't raise it infinitely. Double checked cron to see if anything hogging resources, got nothing Checked the number of connections during the attack, two or three suspicious IPs with 10+ connections, but this is normal, and all of them belonged to shared mobile networks. Enabled several block lists in CSF, didn't help. The server has been set up to pretty much block every known hosting providers on the planet, so it's unlikely that it's a "D"Dos, but just one person doing this. However, this (the protection) is done at the nginx layer - if I understood correctly how php-fpm works, this should still effective against attacks targeting php. Bot detection via checking cookie availability, useful, but didn't stop the attacks. Would it be possible to spawn fpm processes via maliciously crafted packets, without going through nginx, thus being undetected in the logs / protections? If so, how would I go about investigating further and mitigating it, and if my theory is inaccurate, is there anything I can do/check to stop this? Any input would be appreciated.