Results 1 to 8 of 8
  1. #1

    Overload of traffic

    I am not sure if my dedicated server is being attacked or if it is legitimate traffic. I need help figuring out the difference and if it is an attack, how to prevent it, and if it is legitimate traffic, how to configure the server to handle the load.

    My server information is below:

    Hardware
    • Intel Xeon 3220-Quad Core [2.4GHz
    • 8GB DDR2
    • SATAII 500GB


    Software
    • CentOS 5.3-32
    • Apache2
    • MySQL 5
    • PHP 5

    When I do ps aux|grep httpd|wc -l I get the count of current connected clients of 259 which is always maxing out my MaxClients of 256. I had increased it to 512, and it maxed out, I had increased it to 1024 and it maxed out, and lastly I had setup to 2048 and it works, but slows the entire server down.

    Can someone guide me to figure out where this traffic is going on my server? If this is valid traffic or an attack?

    Thanks in advance!

  2. #2
    Join Date
    Nov 2003
    Location
    New Jersey, USA
    Posts
    81
    Check the number of httpd connections of each connected IP to see if someone is hammering your server, you can run something like this from shell:

    #netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n|tail -n 80

    If everything looks legit, you should look into something like LiteSpeed web server to handle the extra load.
    Web Hosting - Reseller Hosting - VPS - Dedicated Servers - Cloud Hosting - Email Marketing
    BuyHTTP, LLC - R1Soft CDP backup and RVsitebuilder included with all shared/reseller plans
    Cloud Hosting Truly redundant high available cloud from a trusted name.

  3. #3
    Here is what I got when I ran this command: netstat -aptn | grep httpd | awk '{print $5}' | cut -d: -f4 | sort | uniq -c | sort -n

    1 113.61.246.221
    1 114.137.108.223
    1 114.140.33.11
    1 114.198.168.218
    1 114.32.85.151
    1 114.36.1.167
    1 114.36.145.169
    1 114.36.215.218
    1 114.39.142.38
    1 114.39.179.77
    1 114.40.136.153
    1 114.40.165.87
    1 114.40.201.170
    1 114.41.219.153
    1 114.41.233.2
    1 114.43.115.207
    1 114.43.15.153
    1 114.43.72.188
    1 114.44.181.25
    1 114.45.139.126
    1 114.45.19.251
    1 114.45.64.10
    1 114.46.156.242
    1 114.46.157.252
    1 114.46.160.183
    1 114.47.127.87
    1 114.47.216.69
    1 114.47.225.249
    1 114.47.43.41
    1 114.47.50.60
    1 114.47.50.75
    1 115.165.248.5
    1 115.83.222.131
    1 116.228.255.110
    1 116.59.25.221
    1 117.79.72.10
    1 118.160.162.252
    1 118.160.209.202
    1 118.160.218.169
    1 118.160.218.57
    1 118.165.135.47
    1 118.165.140.32
    1 118.165.155.212
    1 118.165.166.43
    1 118.165.227.64
    1 118.165.71.202
    1 118.165.72.46
    1 118.167.113.230
    1 118.167.31.41
    1 118.168.165.194
    1 118.169.0.242
    1 118.169.133.103
    1 118.169.206.41
    1 118.169.215.240
    1 118.169.51.6
    1 118.169.68.154
    1 118.170.122.27
    1 118.171.12.200
    1 118.232.11.11
    1 118.233.161.64
    1 119.15.224.3
    1 120.118.140.11
    1 122.117.239.16
    1 122.120.130.92
    1 122.127.220.116
    1 123.192.48.130
    1 123.193.156.123
    1 123.194.128.87
    1 123.194.153.148
    1 123.194.88.172
    1 123.194.94.48
    1 123.195.193.11
    1 123.204.135.13
    1 123.205.38.47
    1 123.240.104.79
    1 123.240.152.65
    1 123.240.161.175
    1 124.218.12.184
    1 124.8.160.228
    1 125.224.199.114
    1 125.224.205.16
    1 125.224.72.239
    1 125.229.126.224
    1 125.229.90.249
    1 125.231.5.71
    1 125.233.13.103
    1 125.77.75.168
    1 203.77.69.199
    1 208.43.119.73
    1 211.74.113.222
    1 211.74.96.28
    1 211.75.64.63
    1 218.160.234.12
    1 218.162.137.130
    1 218.164.106.58
    1 218.164.75.126
    1 218.168.127.8
    1 218.169.111.146
    1 218.169.186.213
    1 218.169.2.90
    1 218.169.98.217
    1 218.174.155.51
    1 218.174.35.88
    1 218.175.39.84
    1 218.186.12.230
    1 219.68.176.112
    1 219.68.189.173
    1 219.68.73.145
    1 219.69.112.100
    1 219.69.119.119
    1 219.69.86.79
    1 219.71.111.43
    1 219.71.13.14
    1 219.71.159.8
    1 219.85.143.159
    1 219.85.158.32
    1 220.129.193.211
    1 220.129.69.52
    1 220.139.111.21
    1 220.139.50.84
    1 220.141.43.247
    1 220.142.33.140
    1 220.142.86.98
    1 221.234.215.14
    1 58.114.231.6
    1 58.114.83.32
    1 58.115.16.177
    1 58.99.124.97
    1 59.104.137.215
    1 59.113.79.7
    1 59.115.119.13
    1 59.115.209.45
    1 59.115.4.89
    1 59.116.132.22
    1 59.116.199.134
    1 59.116.41.136
    1 59.117.166.156
    1 59.127.88.41
    1 61.216.228.138
    1 61.223.242.200
    1 61.224.133.79
    1 61.224.229.67
    1 61.225.162.123
    1 61.227.60.152
    1 61.228.170.197
    1 61.228.177.119
    1 61.229.126.160
    1 61.230.1.153
    1 61.230.218.7
    1 61.230.228.222
    1 61.231.0.107
    1 61.231.101.65
    1 61.56.178.72
    1 61.58.136.151
    1 61.58.174.192
    1 61.58.181.135
    1 61.58.190.77
    1 61.58.76.14
    1 61.62.45.233
    1 61.62.57.186
    1 61.62.57.53
    1 61.63.109.142
    1 61.64.103.247
    1 61.64.141.82
    1 61.64.149.83
    1 61.64.173.185
    1 61.64.173.78
    1 61.64.234.121
    2 *
    2 208.43.119.67
    2 208.43.119.71
    2 208.43.119.76
    3 208.43.119.70
    3 208.43.119.75
    3 208.43.119.77
    3 208.43.119.83
    3 208.43.119.84
    3 208.43.119.86
    3 208.43.119.90
    4 208.43.119.68
    4 208.43.119.72
    4 208.43.119.74
    4 208.43.119.78
    4 208.43.119.85
    4 208.43.119.89
    4 208.43.119.91
    4 208.43.119.92
    5 208.43.119.69
    5 208.43.119.93
    5 208.43.119.94
    7 208.43.119.87
    7 208.43.119.88

  4. #4
    Join Date
    Nov 2003
    Location
    New Jersey, USA
    Posts
    81
    This IP block looks suspicious (208.43.119.xxx), if you don't have any business with them you may want to block it.
    Web Hosting - Reseller Hosting - VPS - Dedicated Servers - Cloud Hosting - Email Marketing
    BuyHTTP, LLC - R1Soft CDP backup and RVsitebuilder included with all shared/reseller plans
    Cloud Hosting Truly redundant high available cloud from a trusted name.

  5. #5
    Join Date
    Jan 2005
    Posts
    2,175
    Looks like your server is being attacked. Apache is very weak against these type of attacks. Litespeed could easily handle them and use a lot less resources.

  6. #6
    Its definetly sound like something nasty is happening on the apache server.
    Block those IPs using firewall iptables/Apf.

    #iptables -A INPUT -s <Source IP> -j DROP

    If you have a apf firewall then just add the ips which you want to block in the file /etc/apf/deny_hosts.rules
    Keep on continuing this process until the attack on the machine gets reduced.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  7. #7
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853
    The number of connections per IP isn't that huge. Can you check the result of "netstat -plan| grep :80" command.

    Let me know what you see most (TIME_WAIT, ESTABLISHED, SYN). If its TIME_WAIT, then your server is hitting the max limit and you would need to further raise the limits.

    If its SYN_ then you are under attack. But do take a 'tcpdump' to check what exactly is going in your server.

  8. #8
    Thanks for all the responses. We have setup blocks on major IP traffics using route.

Similar Threads

  1. VPS in overload?
    By Socket79 in forum VPS Hosting
    Replies: 3
    Last Post: 06-09-2009, 04:33 PM
  2. vps is OverLoad!
    By hichkas in forum Hosting Security and Technology
    Replies: 14
    Last Post: 11-05-2007, 05:00 AM
  3. Is it an overload?
    By [email protected] in forum VPS Hosting
    Replies: 17
    Last Post: 11-12-2006, 07:45 AM
  4. WHT overload?
    By Artashes in forum WHT Announcements, Feedback and Questions
    Replies: 21
    Last Post: 11-11-2003, 05:50 PM
  5. Overload?!?!
    By TheGigabit-West in forum Hosting Security and Technology
    Replies: 10
    Last Post: 11-11-2003, 03:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •