Results 1 to 25 of 35
Thread: Help with unusual traffic load
-
07-25-2005, 06:36 PM #1Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
Help with unusual traffic load
Hello,
Its been 4 hours now ,according to MRTG my server is pushing and receiving at 8-10 mbps
Thats very unusual for my server as usually my bandwidth is at 1.5-3.5 mbps
Also its strange that from internet traffic is even higher than to internet traffic
Can anyone please advice me how to understand what exactly is beeing downloaded/uploaded and which IP is using that much bandwodth ?Best Regards,
Namesniper
-
07-25-2005, 06:49 PM #2Web Hosting Master
- Join Date
- Jan 2004
- Location
- Texas
- Posts
- 1,556
What OS are you using?
James Lumby
-
07-26-2005, 07:13 AM #3Junior Guru Wannabe
- Join Date
- Jul 2005
- Posts
- 80
You can use iptraf (console program) to check where is this huge traffic coming from (more or less)
-
07-26-2005, 09:51 AM #4Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
RHEL 3
Originally posted by lumbyjj
What OS are you using?Best Regards,
Namesniper
-
07-26-2005, 10:03 AM #5Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
and whats your website you may wanna look into bittorrent?
Computer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
07-26-2005, 10:14 AM #6Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
Unfortunally i dont have iptraf installed
ps -aux returns
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line.
warning, got duplicate tcp line
Same for netstat
Any ideas ?
Originally posted by zoldar
You can use iptraf (console program) to check where is this huge traffic coming from (more or less)Best Regards,
Namesniper
-
07-26-2005, 10:18 AM #7Disabled
- Join Date
- May 2002
- Location
- east coast
- Posts
- 64
My first concern would be the possibility that your server has been hacked or otherwise compromised
If you can't identify the traffic surge quickly, I would look into hiring a professional, ASAP.
If it's a mail exploit, for instance, you could end up on some blacklists pretty quickly.
-
07-26-2005, 10:28 AM #8Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
I am 100% sure that i was not compromised and the same i have heard from DC but they cant understand whats going on,the httpd is failing every minute !
Originally posted by outsource
My first concern would be the possibility that your server has been hacked or otherwise compromised
If you can't identify the traffic surge quickly, I would look into hiring a professional, ASAP.
If it's a mail exploit, for instance, you could end up on some blacklists pretty quickly.Best Regards,
Namesniper
-
07-26-2005, 10:33 AM #9Web Hosting Master
- Join Date
- Aug 2003
- Location
- USA
- Posts
- 1,036
Are you currently running any (D)DOS prevention methods?
Depending the in/out, the traffic surge could be a targeted (D)DOS attack.CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
:: Pay for your discount ModernBill license with PayPal
:: admin[at]cybexhost.com :: AIM: CybexH
-
07-26-2005, 11:00 AM #10Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
DC has told me that there is no Ddos attack atm
I have tailed the logs and found one IP which was generating too mcuh traffic,i am not sure if it will fix teh problem
Originally posted by CybexHost
Are you currently running any (D)DOS prevention methods?
Depending the in/out, the traffic surge could be a targeted (D)DOS attack.Best Regards,
Namesniper
-
07-26-2005, 12:26 PM #11Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
may be you get flood, are you apache maxed out you MaxClient setting?
TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
07-26-2005, 12:45 PM #12Web Hosting Master
- Join Date
- Jul 2004
- Posts
- 873
use iptraf or iftop and you can find reason of this high traffic
-
07-26-2005, 12:46 PM #13Web Hosting Master
- Join Date
- Aug 2003
- Location
- USA
- Posts
- 1,036
Depending on how your daemon is adjusted, the MaxClient number may not change after a crash of httpd from too many clients. A typical number is about 150.
What is your current MaxClient setting?CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
:: Pay for your discount ModernBill license with PayPal
:: admin[at]cybexhost.com :: AIM: CybexH
-
07-26-2005, 01:44 PM #14Newbie
- Join Date
- Jul 2005
- Posts
- 23
just to add does apache error_log shows anything useful ?
----
Aby,Last edited by abyvarghese; 07-26-2005 at 01:50 PM.
-
07-26-2005, 01:59 PM #15Web Hosting Master
- Join Date
- Jun 2003
- Location
- United States of America
- Posts
- 1,847
id block that single ip as long as its not yours and see what happens when apache dies?
Computer Steroids - Full service website development solutions since 2001.
(612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.
-
07-26-2005, 04:50 PM #16Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
Unfortunally i dont have any of those installed
Originally posted by artin1982
use iptraf or iftop and you can find reason of this high trafficBest Regards,
Namesniper
-
07-26-2005, 04:54 PM #17Newbie
- Join Date
- Jul 2005
- Posts
- 23
Better late than never. Why not install it now.
----
Aby,
-
07-26-2005, 04:55 PM #18Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
My max client is 150 and yes i see that its failing because there are 250+ connection but i cant understand from WHICH IP i am getting that much connection to ban it!
Apache is still failing every minute
Originally posted by CybexHost
Depending on how your daemon is adjusted, the MaxClient number may not change after a crash of httpd from too many clients. A typical number is about 150.
What is your current MaxClient setting?Best Regards,
Namesniper
-
07-26-2005, 04:57 PM #19Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
The process (915) has exceeded defined resource limits, as such a kill signal was invoked from the process resource monitor.
Thats what i see now
- Event Summary:
USER: apache
PID : 915
CMD : /usr/sbin/httpd
CPU%: 0 (limit: 65)
MEM%: 0 (limit: 25)
PROCS: 256 (limit: 150)Best Regards,
Namesniper
-
07-26-2005, 04:58 PM #20Newbie
- Join Date
- Jul 2005
- Posts
- 23
You can check the apache status. Also you can use the netstat command.
----
Aby,
-
07-26-2005, 05:11 PM #21Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
Thats what i see now "top"
....
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
6147 apache 15 0 16688 15M 7408 S 3.0 1.5 0:01 3 httpd
6212 apache 16 0 16608 15M 7380 R 3.0 1.5 0:01 2 httpd
6218 apache 15 0 16504 15M 7364 R 3.0 1.5 0:01 0 httpd
6232 apache 16 0 17616 16M 7380 S 3.0 1.6 0:01 3 httpd
5980 apache 15 0 16324 15M 7372 S 2.5 1.5 0:01 0 httpd
5997 apache 15 0 16352 15M 7436 R 2.5 1.5 0:01 3 httpd
6167 apache 16 0 16256 15M 7344 S 2.5 1.5 0:01 2 httpd
6031 apache 15 0 16208 15M 7300 S 2.3 1.5 0:01 1 httpd
6076 apache 15 0 16372 15M 7460 S 2.3 1.5 0:01 3 httpd
6099 apache 15 0 16252 15M 7328 S 2.3 1.5 0:01 0 httpd
6169 apache 15 0 16292 15M 7380 S 2.3 1.5 0:01 3 httpd
5970 apache 15 0 16212 15M 7300 S 2.1 1.5 0:01 2 httpd
6077 apache 15 0 16252 15M 7308 S 2.1 1.5 0:01 0 httpd
6090 apache 15 0 16200 15M 7288 R 2.1 1.5 0:01 2 httpd
6221 apache 16 0 16652 15M 7432 S 2.1 1.5 0:01 2 httpd
6226 apache 15 0 16804 16M 7600 S 2.1 1.6 0:01 3 httpd
6233 apache 15 0 16288 15M 7340 S 2.1 1.5 0:01 2 httpd
5967 apache 15 0 16212 15M 7300 S 1.8 1.5 0:01 2 httpd
6079 apache 15 0 16188 15M 7280 S 1.8 1.5 0:01 0 httpd
6080 apache 15 0 17108 16M 7288 S 1.8 1.6 0:01 0 httpd
6160 apache 15 0 16264 15M 7356 S 1.8 1.5 0:01 1 httpd
6177 apache 16 0 16436 15M 7524 S 1.8 1.5 0:01 2 httpd
6179 apache 15 0 16560 15M 7348 S 1.8 1.5 0:01 3 httpd
6210 apache 15 0 16636 15M 7440 S 1.8 1.5 0:01 2 httpd
6214 apache 15 0 17132 16M 7420 S 1.8 1.6 0:01 1 httpdBest Regards,
Namesniper
-
07-26-2005, 05:16 PM #22Newbie
- Join Date
- Jul 2005
- Posts
- 23
Have a check on WHM >> serevr status >> apache status
----
Aby,
-
07-26-2005, 05:16 PM #23Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
Thats what i see in error_log
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:10 2005] [notice] Digest: generating secret for digest authentication ...
[Wed Jul 27 00:40:10 2005] [notice] Digest: done
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
[Wed Jul 27 00:40:12 2005] [notice] Apache configured -- resuming normal operations
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
sh: line 1: /usr/local/bin/convert: No such file or directory
[Wed Jul 27 00:53:51 2005] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Wed Jul 27 00:58:09 2005] [warn] child process 25884 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 9068 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 8632 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 8293 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 9975 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 25758 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 8748 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 7463 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 8927 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 8975 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 25767 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 6529 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 7508 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 25770 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 10571 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 8984 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 26553 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 6532 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 7051 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 9081 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 7519 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 9082 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 9083 still did not exit, sending a SIGTERM
[Wed Jul 27 00:58:12 2005] [warn] child process 10574 still did not exit, sending a SIGTERM
Originally posted by abyvarghese
just to add does apache error_log shows anything useful ?
----
Aby,Best Regards,
Namesniper
-
07-26-2005, 05:19 PM #24Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
I have blocked that IP and for some time everything was fine but it seems now they are sending those requests from other IPs
When apache is dieing everything is fine but once i am starting it my server is beeing atacked again and again untill apache goes down again,so their goal is to take it offline !
Originally posted by gilbert
id block that single ip as long as its not yours and see what happens when apache dies?Best Regards,
Namesniper
-
07-26-2005, 05:21 PM #25Web Hosting Master
- Join Date
- Mar 2004
- Posts
- 1,007
WHM ?
Originally posted by abyvarghese
Have a check on WHM >> serevr status >> apache status
----
Aby,Best Regards,
Namesniper