I think I'm under a DDOS attack but not too sure, what do you think?


Well-known member
I think my server is being DDOS, I've noticed a spike in my servers load and just been checking into it.

I've noticed that APC is serving the following:
Request Rate (hits, misses) 515.88 cache requests/second
Hit Rate 515.38 cache requests/second
Miss Rate 0.50 cache requests/second
Insert Rate 0.78 cache requests/second

Now I've checked with my getclicky stats and I'm showing 6 people online, and i've noticed in the past even when busy there is only normally 50 cache requests a second. So something is up.

I've also noticed that:

has been hit 546515 times in the last hour, when library/config.php for example has only been hit 3785 times.

when i do netstat -apn | grep :80 | wc -l I've got connections 1039 open.

and when I do netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

I get :

482 109.123.108.*
126 94.99.15.*
121 82.36.240.*
121 81.156.252.*
120 86.3.147.*
119 94.172.151.*
119 86.14.150.*
67 196.47.168.*
57 92.40.253.*
51 94.169.76.*
43 178.111.218.*
41 2.217.54.*
32 94.4.185.*
31 94.197.127.*
28 89.142.223.*
and more (i've * out the last bits)

So do you think my suspicions are correct. I'm not sure what I'm meant to be looking for. Also where would you suggest my next steps should be, while my sever isn't breaking out in a sweat, I'd like to put a stop to it if possible.

Also where in my server logs would I be able to find detials of the ip address there the attach are coming from, as I'd like to make sure its reported the the ISp's abuse teams.


[edit] i just spotted you have them counted.

Try this btw, so you don't just get a list of your connections, but count them as well, a good indicator of ranges attacking with a flood.

netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
2 86.128.170.x
3 94.75.233.x
4 109.74.200.x
4 192.168.0.x


netstat -an | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq -c
4 109.74.200.x
1 180.76.5.x
10 192.168.1.x
1 192.168.1.x
1 46.105.108.x
You can also count the state of connections:
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

1 established
1 Foreign

Make sure you don't use the default port for ssh2, turn off FTP daemon, and perhaps consider putting MySQL on a different port as well. If they use scripts to probe known ports, or brute force ssh for example, your load might go up as well, despite that no active connection is registered (as with apache port 80).