There's an ongoing attack that I can't quite figure out. There's no issues with the MySQL or Redis as far as I can see. Backend and frontend are not bottlenecked on CPU, Io wait, memory, or bandwidth. The number of TCP sockets in use is normal for this amount of traffic and do not appear to be limited by any kernel security setting. The Webservers are configured to drop slow http attacks.

I've seen this before and I never figured it out. Cloudflare WAF did fix it but when I turned it off to try and see if we could handle it without it, I never got a working solution.