Today, I received an email from a website monitoring service. It said my site was down.
1) The very first step is to try the website. The browser can not open it.
2) I sign in to the PVE, and look at the summary of this VM, which hosts the websites.
The CPU usage is over 100%.

There are about half hour CPU usage over 100%. A small 80% in the middle, it is a reboot.
3) There must be some process that took a lot of CPU usage. So, I checked the running processes. This time I sign in the Webmin Panel.

It is clear the MariaDB or Mysql server is getting stuck.
I have to find out what is the reason it is the problem.
4) Connect to the VM with the SSH terminal window. Enter the following command to check the problem.
davidyin@lime:~$ sudo mysql -e "SHOW FULL PROCESSLIST\G"
I found a lot of connections to the website phpbbchinese.com. It is a non-profit website. I made it for the support service of the Chinese language pack of phpBB forum software. I am the official translator of it.
5) My website is running behind CloudFlare. So I go to the Cloudflare dashboard. Turn on the trigger, “I’m under attack mode.”
6) When the Under Attack switch is On, the CPU load is down very soon. I have to find out which one is attacking the site.
I have an Awstats tool. It is updated every hour. I checked it.
I found it. The IP address is 117.79.126.123. It is a bad IP address.
To make sure it is a bad one, I double-check the website log file.
It just sends tons of register requests at a very fast speed. This is so called DoS attack.
7) I am also check the blacklist IP address service.
It is not a new one. It is a repeated bad guy.
OK, I will block it.
8) In Cloudflare, Security > WAF, Custom rules, I add a new rule to block any request from this IP address
A few hours passed. It is still sending requests to my site.
The Cloudflare security service blocked most of the attacks. These bad requests will not arrive on my website and add loads to the CPU.
The key difference between a Denial-of-Service (DoS) and a Distributed Denial-of-Service (DDoS) attack lies in the source of the attack: DoS attacks originate from a single source, while DDoS attacks are launched from multiple, often geographically dispersed, sources.
Here are the reference of the Cloudflare Docs page. https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/