We've been experiencing a very weird issue with apache2(possibly?).
Basically our site loads some times and does not load at other times.
We can *always* ping the ip. Yet, only about 20% of the time does the site pull up if we try to goto the ip. There are times when we are browsing the site on the ip but if we goto the domain, it does not come up(yet you can see the proper ip if you ping the domain).
This randomness is driving me nuts. Anyone have any clue what may be going on? We have tried everything, including a nic change; an OS resinstall(we have debian).
I'm thinking it's a dns issue too. But why won't I be able to access via IP?
I see this in my bind log:
Sep 21 21:10:15 localhost kernel: [90527.708879] possible SYN flooding on port 80. Sending cookies.
Sep 21 21:11:20 localhost kernel: [90595.491040] possible SYN flooding on port 80. Sending cookies.
Sep 21 21:12:29 localhost kernel: [90667.792901] possible SYN flooding on port 80. Sending cookies.
Sep 21 21:13:30 localhost kernel: [90731.513915] possible SYN flooding on port 80. Sending cookies.
Seems like after a whole day of it, it stops at 11pm. Am I being ddos'd?
Every night around 1am the site starts to function perfectly well. And it stops around 8-9am.
Its a dos for sure but not sure if its distributed. You may want to take a look at the output of netstat and block ips accordingly. The syn flood indeed is the reason for the intermittent loss of connectivity to your site. Anyway try accessing the site using an ip to rule out a dns issue.
█Ezeelogin█ Setup your Secure Linux SSH Gateway.
█|Manage & Administer Multiple Linux Servers Quickly & Securely.
The above command will list the IPs taking the most amount of connections to a server.
Install mod_evasive in Debian and restart apache /etc/init.d/apache2 restart
#apt-get install libapache2-mod-evasive
Some more Packages that can be installed on your debian server:
libapache2-mod-evasive - evasive module to minimize HTTP DoS or brute force attacks
libapache2-mod-spamhaus - Apache DNSBL module that blocks listed IP addresses
psad - The Port Scan Attack Detector
libapache-mod-security - Tighten web applications security for Apache
mod-security-common - Tighten web applications security - common files
fail2ban - bans IPs that cause multiple authentication errors.
Sounds like your hitting max clients either from a ddos or from traffic.
Just because your sending 'cookies' does not mean its being attacked.
My personal server sends cookies sometimes and its not under attack.
Steven Ciaburri | Industry's Best Server Management- Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance