Penetration testing and high server load

[anton1982]

For one of our customers we needed to let a company perform a 'penetration' test on the website on our managed VPS. We have done this before but never any major problems. In this case it wears out the server. The server load spikes to around 35. Since there is a production website of the customer on that VPS we complained to the company performing the penetration test because the website went very slow/offline. They say their test should not be that heavy and something is wrong with the vps. Specs of the VPS:

CentOS7 + Directadmin + fail2ban + CSF
2 CPU - 4GB memory
low on traffic]
Normal average load around 0.4, when test is running between 30/35.

Everything works fine but when they start testing the server goes down. Can you give any advice? Can we do something about this?

 

[Arieh]

It's not easy to guess like this. It's much easier when you know what kind of tests they do. Different requests trigger different services.

Very generally speaking, if they are crawling across a website, looking for new links and try multiple get/post requests in a short time frame; the website is being accessed more than usual. If the pages are doing many calculations or have heavy mysql queries without caching, this may be the cause.