Page 1 of 2 12 LastLast
Results 1 to 25 of 35
  1. #1
    Join Date
    Mar 2004
    Posts
    1,007

    Help with unusual traffic load

    Hello,

    Its been 4 hours now ,according to MRTG my server is pushing and receiving at 8-10 mbps

    Thats very unusual for my server as usually my bandwidth is at 1.5-3.5 mbps

    Also its strange that from internet traffic is even higher than to internet traffic

    Can anyone please advice me how to understand what exactly is beeing downloaded/uploaded and which IP is using that much bandwodth ?
    Best Regards,
    Namesniper

  2. #2
    Join Date
    Jan 2004
    Location
    Texas
    Posts
    1,556
    What OS are you using?
    James Lumby

  3. #3
    Join Date
    Jul 2005
    Posts
    80
    You can use iptraf (console program) to check where is this huge traffic coming from (more or less)

  4. #4
    Join Date
    Mar 2004
    Posts
    1,007
    RHEL 3


    Originally posted by lumbyjj
    What OS are you using?
    Best Regards,
    Namesniper

  5. #5
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847
    and whats your website you may wanna look into bittorrent?
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  6. #6
    Join Date
    Mar 2004
    Posts
    1,007
    Unfortunally i dont have iptraf installed

    ps -aux returns
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line.
    warning, got duplicate tcp line

    Same for netstat

    Any ideas ?


    Originally posted by zoldar
    You can use iptraf (console program) to check where is this huge traffic coming from (more or less)
    Best Regards,
    Namesniper

  7. #7
    Join Date
    May 2002
    Location
    east coast
    Posts
    64
    My first concern would be the possibility that your server has been hacked or otherwise compromised

    If you can't identify the traffic surge quickly, I would look into hiring a professional, ASAP.

    If it's a mail exploit, for instance, you could end up on some blacklists pretty quickly.

  8. #8
    Join Date
    Mar 2004
    Posts
    1,007
    I am 100% sure that i was not compromised and the same i have heard from DC but they cant understand whats going on,the httpd is failing every minute !

    Originally posted by outsource
    My first concern would be the possibility that your server has been hacked or otherwise compromised

    If you can't identify the traffic surge quickly, I would look into hiring a professional, ASAP.

    If it's a mail exploit, for instance, you could end up on some blacklists pretty quickly.
    Best Regards,
    Namesniper

  9. #9
    Join Date
    Aug 2003
    Location
    USA
    Posts
    1,036
    Are you currently running any (D)DOS prevention methods?

    Depending the in/out, the traffic surge could be a targeted (D)DOS attack.
    CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
    ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at]cybexhost.com :: AIM: CybexH

  10. #10
    Join Date
    Mar 2004
    Posts
    1,007
    DC has told me that there is no Ddos attack atm
    I have tailed the logs and found one IP which was generating too mcuh traffic,i am not sure if it will fix teh problem

    Originally posted by CybexHost
    Are you currently running any (D)DOS prevention methods?

    Depending the in/out, the traffic surge could be a targeted (D)DOS attack.
    Best Regards,
    Namesniper

  11. #11
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    may be you get flood, are you apache maxed out you MaxClient setting?
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  12. #12
    Join Date
    Jul 2004
    Posts
    873
    use iptraf or iftop and you can find reason of this high traffic

  13. #13
    Join Date
    Aug 2003
    Location
    USA
    Posts
    1,036
    Depending on how your daemon is adjusted, the MaxClient number may not change after a crash of httpd from too many clients. A typical number is about 150.

    What is your current MaxClient setting?
    CybexHost.com - Shared and Reseller Hosting Solutions on cPanel/WHM Linux Servers
    ModernTweak.com - Discount ModernBill Licenses, Hosted Installations, and Professional Services
    :: Pay for your discount ModernBill license with PayPal
    :: admin[at]cybexhost.com :: AIM: CybexH

  14. #14
    just to add does apache error_log shows anything useful ?

    ----
    Aby,
    Last edited by abyvarghese; 07-26-2005 at 01:50 PM.

  15. #15
    Join Date
    Jun 2003
    Location
    United States of America
    Posts
    1,847
    id block that single ip as long as its not yours and see what happens when apache dies?
    Computer Steroids - Full service website development solutions since 2001.
    (612)234-2768 - Locally owned and operated in the Minneapolis, Minnesota area.

  16. #16
    Join Date
    Mar 2004
    Posts
    1,007
    Unfortunally i dont have any of those installed


    Originally posted by artin1982
    use iptraf or iftop and you can find reason of this high traffic
    Best Regards,
    Namesniper

  17. #17
    Better late than never. Why not install it now.

    ----
    Aby,

  18. #18
    Join Date
    Mar 2004
    Posts
    1,007
    My max client is 150 and yes i see that its failing because there are 250+ connection but i cant understand from WHICH IP i am getting that much connection to ban it!

    Apache is still failing every minute

    Originally posted by CybexHost
    Depending on how your daemon is adjusted, the MaxClient number may not change after a crash of httpd from too many clients. A typical number is about 150.

    What is your current MaxClient setting?
    Best Regards,
    Namesniper

  19. #19
    Join Date
    Mar 2004
    Posts
    1,007
    The process (915) has exceeded defined resource limits, as such a kill signal was invoked from the process resource monitor.

    Thats what i see now


    - Event Summary:
    USER: apache
    PID : 915
    CMD : /usr/sbin/httpd
    CPU%: 0 (limit: 65)
    MEM%: 0 (limit: 25)
    PROCS: 256 (limit: 150)
    Best Regards,
    Namesniper

  20. #20
    You can check the apache status. Also you can use the netstat command.

    ----
    Aby,

  21. #21
    Join Date
    Mar 2004
    Posts
    1,007
    Thats what i see now "top"
    ....
    PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
    6147 apache 15 0 16688 15M 7408 S 3.0 1.5 0:01 3 httpd
    6212 apache 16 0 16608 15M 7380 R 3.0 1.5 0:01 2 httpd
    6218 apache 15 0 16504 15M 7364 R 3.0 1.5 0:01 0 httpd
    6232 apache 16 0 17616 16M 7380 S 3.0 1.6 0:01 3 httpd
    5980 apache 15 0 16324 15M 7372 S 2.5 1.5 0:01 0 httpd
    5997 apache 15 0 16352 15M 7436 R 2.5 1.5 0:01 3 httpd
    6167 apache 16 0 16256 15M 7344 S 2.5 1.5 0:01 2 httpd
    6031 apache 15 0 16208 15M 7300 S 2.3 1.5 0:01 1 httpd
    6076 apache 15 0 16372 15M 7460 S 2.3 1.5 0:01 3 httpd
    6099 apache 15 0 16252 15M 7328 S 2.3 1.5 0:01 0 httpd
    6169 apache 15 0 16292 15M 7380 S 2.3 1.5 0:01 3 httpd
    5970 apache 15 0 16212 15M 7300 S 2.1 1.5 0:01 2 httpd
    6077 apache 15 0 16252 15M 7308 S 2.1 1.5 0:01 0 httpd
    6090 apache 15 0 16200 15M 7288 R 2.1 1.5 0:01 2 httpd
    6221 apache 16 0 16652 15M 7432 S 2.1 1.5 0:01 2 httpd
    6226 apache 15 0 16804 16M 7600 S 2.1 1.6 0:01 3 httpd
    6233 apache 15 0 16288 15M 7340 S 2.1 1.5 0:01 2 httpd
    5967 apache 15 0 16212 15M 7300 S 1.8 1.5 0:01 2 httpd
    6079 apache 15 0 16188 15M 7280 S 1.8 1.5 0:01 0 httpd
    6080 apache 15 0 17108 16M 7288 S 1.8 1.6 0:01 0 httpd
    6160 apache 15 0 16264 15M 7356 S 1.8 1.5 0:01 1 httpd
    6177 apache 16 0 16436 15M 7524 S 1.8 1.5 0:01 2 httpd
    6179 apache 15 0 16560 15M 7348 S 1.8 1.5 0:01 3 httpd
    6210 apache 15 0 16636 15M 7440 S 1.8 1.5 0:01 2 httpd
    6214 apache 15 0 17132 16M 7420 S 1.8 1.6 0:01 1 httpd
    Best Regards,
    Namesniper

  22. #22
    Have a check on WHM >> serevr status >> apache status


    ----
    Aby,

  23. #23
    Join Date
    Mar 2004
    Posts
    1,007
    Thats what i see in error_log

    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:10 2005] [notice] Digest: generating secret for digest authentication ...
    [Wed Jul 27 00:40:10 2005] [notice] Digest: done
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:11 2005] [warn] RSA server certificate CommonName (CN) `plesk' does NOT match server name!?
    [Wed Jul 27 00:40:12 2005] [notice] Apache configured -- resuming normal operations
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    sh: line 1: /usr/local/bin/convert: No such file or directory
    [Wed Jul 27 00:53:51 2005] [error] server reached MaxClients setting, consider raising the MaxClients setting
    [Wed Jul 27 00:58:09 2005] [warn] child process 25884 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 9068 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 8632 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 8293 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 9975 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 25758 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 8748 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 7463 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 8927 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 8975 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 25767 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 6529 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 7508 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 25770 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 10571 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 8984 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 26553 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 6532 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 7051 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 9081 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 7519 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 9082 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 9083 still did not exit, sending a SIGTERM
    [Wed Jul 27 00:58:12 2005] [warn] child process 10574 still did not exit, sending a SIGTERM

    Originally posted by abyvarghese
    just to add does apache error_log shows anything useful ?

    ----
    Aby,
    Best Regards,
    Namesniper

  24. #24
    Join Date
    Mar 2004
    Posts
    1,007
    I have blocked that IP and for some time everything was fine but it seems now they are sending those requests from other IPs

    When apache is dieing everything is fine but once i am starting it my server is beeing atacked again and again untill apache goes down again,so their goal is to take it offline !

    Originally posted by gilbert
    id block that single ip as long as its not yours and see what happens when apache dies?
    Best Regards,
    Namesniper

  25. #25
    Join Date
    Mar 2004
    Posts
    1,007
    WHM ?

    Originally posted by abyvarghese
    Have a check on WHM >> serevr status >> apache status


    ----
    Aby,
    Best Regards,
    Namesniper

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •