1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I think I'm under a DDOS attack but not too sure, what do you think?

Discussion in 'Server Configuration and Hosting' started by akia, Nov 30, 2011.

  1. akia

    akia Well-Known Member

    I think my server is being DDOS, I've noticed a spike in my servers load and just been checking into it.

    I've noticed that APC is serving the following:
    Request Rate (hits, misses) 515.88 cache requests/second
    Hit Rate 515.38 cache requests/second
    Miss Rate 0.50 cache requests/second
    Insert Rate 0.78 cache requests/second

    Now I've checked with my getclicky stats and I'm showing 6 people online, and i've noticed in the past even when busy there is only normally 50 cache requests a second. So something is up.

    I've also noticed that:

    t/library/Zend/Validate/Hostname/Com.php
    has been hit 546515 times in the last hour, when library/config.php for example has only been hit 3785 times.

    when i do netstat -apn | grep :80 | wc -l I've got connections 1039 open.

    and when I do netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

    I get :

    482 109.123.108.*
    126 94.99.15.*
    121 82.36.240.*
    121 81.156.252.*
    120 86.3.147.*
    119 94.172.151.*
    119 86.14.150.*
    67 196.47.168.*
    57 92.40.253.*
    51 94.169.76.*
    43 178.111.218.*
    41 2.217.54.*
    32 94.4.185.*
    31 94.197.127.*
    28 89.142.223.*
    and more (i've * out the last bits)

    So do you think my suspicions are correct. I'm not sure what I'm meant to be looking for. Also where would you suggest my next steps should be, while my sever isn't breaking out in a sweat, I'd like to put a stop to it if possible.

    Also where in my server logs would I be able to find detials of the ip address there the attach are coming from, as I'd like to make sure its reported the the ISp's abuse teams.
     
  2. Floris

    Floris Guest

    [edit] i just spotted you have them counted.

    Try this btw, so you don't just get a list of your connections, but count them as well, a good indicator of ranges attacking with a flood.

    netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
    output:
    2 86.128.170.x
    3 94.75.233.x
    4 109.74.200.x
    4 192.168.0.x
    43 0.0.0.0

    and

    netstat -an | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq -c
    output:
    4 109.74.200.x
    1 180.76.5.x
    10 192.168.1.x
    1 192.168.1.x
    1 46.105.108.x
    You can also count the state of connections:
    netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

    1 established
    1 Foreign
    1 LAST_ACK
    6 SYN_SENT
    8 ESTABLISHED
    29 LISTEN

    Make sure you don't use the default port for ssh2, turn off FTP daemon, and perhaps consider putting MySQL on a different port as well. If they use scripts to probe known ports, or brute force ssh for example, your load might go up as well, despite that no active connection is registered (as with apache port 80).
     

Share This Page