Results 1 to 8 of 8
  1. #1

    Very weird apache problem

    We've been experiencing a very weird issue with apache2(possibly?).

    Basically our site loads some times and does not load at other times.

    We can *always* ping the ip. Yet, only about 20% of the time does the site pull up if we try to goto the ip. There are times when we are browsing the site on the ip but if we goto the domain, it does not come up(yet you can see the proper ip if you ping the domain).

    This randomness is driving me nuts. Anyone have any clue what may be going on? We have tried everything, including a nic change; an OS resinstall(we have debian).

    Thanks for your help.

  2. #2
    Join Date
    Feb 2002
    Posts
    1,137
    Hi,

    Is apache still running at the time? If so, it might be worth looking at your DNS.

  3. #3
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    sounds like a DNS problem. Did you check the apache/bind logs?

  4. #4
    I'm thinking it's a dns issue too. But why won't I be able to access via IP?

    I see this in my bind log:
    Sep 21 21:10:15 localhost kernel: [90527.708879] possible SYN flooding on port 80. Sending cookies.
    Sep 21 21:11:20 localhost kernel: [90595.491040] possible SYN flooding on port 80. Sending cookies.
    Sep 21 21:12:29 localhost kernel: [90667.792901] possible SYN flooding on port 80. Sending cookies.
    Sep 21 21:13:30 localhost kernel: [90731.513915] possible SYN flooding on port 80. Sending cookies.

    Seems like after a whole day of it, it stops at 11pm. Am I being ddos'd?

    Every night around 1am the site starts to function perfectly well. And it stops around 8-9am.


    Thanks for all your help guys!
    Last edited by oonth; 09-22-2009 at 01:25 AM.

  5. #5
    Join Date
    Apr 2009
    Location
    whitehouse
    Posts
    656
    Its a dos for sure but not sure if its distributed. You may want to take a look at the output of netstat and block ips accordingly. The syn flood indeed is the reason for the intermittent loss of connectivity to your site. Anyway try accessing the site using an ip to rule out a dns issue.
    James B
    EzeeloginSetup your Secure Linux SSH Gateway.
    |Manage & Administer Multiple Linux Servers Quickly & Securely.

  6. #6
    Join Date
    Mar 2009
    Location
    Bangalore
    Posts
    41
    # netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c

    The above command will list the IPs taking the most amount of connections to a server.

    Install mod_evasive in Debian and restart apache /etc/init.d/apache2 restart

    #apt-get install libapache2-mod-evasive

    Some more Packages that can be installed on your debian server:

    libapache2-mod-evasive - evasive module to minimize HTTP DoS or brute force attacks
    libapache2-mod-spamhaus - Apache DNSBL module that blocks listed IP addresses
    psad - The Port Scan Attack Detector
    libapache-mod-security - Tighten web applications security for Apache
    mod-security-common - Tighten web applications security - common files
    fail2ban - bans IPs that cause multiple authentication errors.
    Serversignature.com - Professional Linux Consulting.

  7. #7
    Join Date
    Jun 2008
    Location
    India
    Posts
    129
    yes, you should try to block ip address in case from the same ...or else yous should optimize the server more with trying block with ttl values or something....

  8. #8
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Sounds like your hitting max clients either from a ddos or from traffic.

    Just because your sending 'cookies' does not mean its being attacked.

    My personal server sends cookies sometimes and its not under attack.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Similar Threads

  1. Weird Single IP Uses Up All Apache Connections Problem
    By webstop in forum Hosting Security and Technology
    Replies: 7
    Last Post: 07-11-2009, 07:01 PM
  2. weird apache problem
    By HD Fanatic in forum Hosting Security and Technology
    Replies: 5
    Last Post: 09-06-2006, 01:35 AM
  3. weird apache problem
    By lonea in forum Hosting Security and Technology
    Replies: 7
    Last Post: 11-29-2005, 08:07 PM
  4. Weird Apache failing
    By AndyJ in forum Hosting Security and Technology
    Replies: 1
    Last Post: 03-04-2005, 11:18 PM
  5. VERY Weird Apache Problem!
    By cem in forum Hosting Security and Technology
    Replies: 9
    Last Post: 10-21-2004, 08:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •