Potential causes could be any of the following:
- Denial of Service attack
- Search bot or scraping bot hitting expensive URLs
- Extra traffic spike due to popular article, press release, etc.
In the Apache HTTP Server's access_log, add this to the httpd.conf file in the dispatcher servers:
LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
In Microsoft IIS add X-Forwarded-For in the "Advanced Logging" configuration.
That would log the correct end-user IP.
Use the output showing the IP and User-Agent to analyze whether it is a malicious attack and block the offending IPs if it makes sense.
Apache:
In the httpd configuration files there should be a section for the dispatcher. Set DispatcherLogLevel to 3:
DispatcherLogLevel 3
IIS:
Modify the dis_iis.ini and set the loglevel to 3:
loglevel=3