find the user to kill it or restart http daemon
While this was something I was taught and did at the start of my career, I have since learnt that waiting for a load spike and responding to it in this way is something of an anti-pattern.
My house keeps catching fire – should I install a sprinkler system or try to find out why it keeps happening?
The SOP for load arising from a web server is different from the SOP for an application server is different from the SOP for a database server. If you are running (say) a LAMP server then you have all those problems on the same box.
check for spamming
Erk! If people can use your host for a purpose you didn’t intend, then you’ve failed regardless of the load.
or brute force attacks
There are lots of tools to prevent that. I use fail2ban on my edge for HTTP[S] traffic.
Sometimes I would see mysql user causing the load spikes
Then you need to start by analyzing the query performance, optimizing the database and the IO paths.