LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   DDOS attack help me (http://www.linuxquestions.org/questions/linux-security-4/ddos-attack-help-me-729379/)

dheeraj4uuu 05-29-2009 03:42 PM

DDOS attack help me
 
Hello,

My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..

Code:

netstat -an | grep :80 | sort
and the result is this

Code:

tcp        0  1491 ::ffff:95.211.10.169:80    ::ffff:213.215.100.110:2263 LAST_ACK   
tcp        0  1493 ::ffff:95.211.10.169:80    ::ffff:85.207.126.231:52694 LAST_ACK   
tcp        0  1533 ::ffff:95.211.10.169:80    ::ffff:207.54.100.81:1907  LAST_ACK   
tcp        0  1555 ::ffff:95.211.10.169:80    ::ffff:94.216.199.59:49666  LAST_ACK   
tcp        0  1556 ::ffff:95.211.10.169:80    ::ffff:79.199.224.51:1250  LAST_ACK   
tcp        0  1558 ::ffff:95.211.10.169:80    ::ffff:207.219.125.9:4445  LAST_ACK   
tcp        0  1569 ::ffff:95.211.10.169:80    ::ffff:122.161.153.56:2788  LAST_ACK   
tcp        0  1579 ::ffff:95.211.10.169:80    ::ffff:62.31.54.30:50167    LAST_ACK   
tcp        0  1584 ::ffff:95.211.10.169:80    ::ffff:79.101.147.239:54629 LAST_ACK   
tcp        0  1604 ::ffff:95.211.10.169:80    ::ffff:89.132.65.227:4880  LAST_ACK   
tcp        0  1617 ::ffff:95.211.10.169:80    ::ffff:82.25.181.8:4227    LAST_ACK   
tcp        0  1628 ::ffff:95.211.10.169:80    ::ffff:77.46.252.70:2116    LAST_ACK   
tcp        0  1723 ::ffff:95.211.10.169:80    ::ffff:88.178.111.6:3838    LAST_ACK   
tcp        0  3252 ::ffff:95.211.10.169:80    ::ffff:76.120.33.115:4181  LAST_ACK   
tcp      106      0 ::ffff:95.211.10.169:80    ::ffff:174.132.216.26:38244 ESTABLISHED
tcp      163      0 ::ffff:95.211.10.169:80    ::ffff:193.2.216.130:41690  CLOSE_WAIT 
tcp      164      0 ::ffff:95.211.10.169:80    ::ffff:76.174.2.134:65249  CLOSE_WAIT 
tcp      177      0 ::ffff:95.211.10.169:80    ::ffff:119.63.194.124:46871 CLOSE_WAIT 
tcp      196      0 ::ffff:95.211.10.169:80    ::ffff:77.232.69.160:51396  CLOSE_WAIT 
tcp      213      0 ::ffff:95.211.10.169:80    ::ffff:174.36.52.105:38332  CLOSE_WAIT 
tcp      218      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:45186  CLOSE_WAIT 
tcp      218      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:46711  CLOSE_WAIT 
tcp      218      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:47529  CLOSE_WAIT 
tcp      219      0 ::ffff:95.211.10.169:80    ::ffff:67.228.157.57:53628  CLOSE_WAIT 
tcp      225      0 ::ffff:95.211.10.169:80    ::ffff:75.7.19.214:61179    CLOSE_WAIT 
tcp      226      0 ::ffff:95.211.10.169:80    ::ffff:174.36.52.109:57823  CLOSE_WAIT 
tcp      226      0 ::ffff:95.211.10.169:80    ::ffff:174.36.52.98:45852  CLOSE_WAIT 
tcp      228      0 ::ffff:95.211.10.169:80    ::ffff:174.36.52.98:32786  CLOSE_WAIT 
tcp      231      0 ::ffff:95.211.10.169:80    ::ffff:75.37.34.143:50308  CLOSE_WAIT 
tcp      247      0 ::ffff:95.211.10.169:80    ::ffff:174.36.52.110:35686  CLOSE_WAIT 
tcp      253      0 ::ffff:95.211.10.169:80    ::ffff:75.37.34.143:50198  CLOSE_WAIT 
tcp      253      0 ::ffff:95.211.10.169:80    ::ffff:97.74.24.1:34023    CLOSE_WAIT 
tcp      275      0 ::ffff:95.211.10.169:80    ::ffff:66.249.68.230:33723  CLOSE_WAIT 
tcp      332      0 ::ffff:95.211.10.169:80    ::ffff:74.55.61.2:3147      CLOSE_WAIT 
tcp      367      0 ::ffff:95.211.10.169:80    ::ffff:213.55.78.183:38888  ESTABLISHED
tcp      368      0 ::ffff:95.211.10.169:80    ::ffff:93.86.209.115:58909  CLOSE_WAIT 
tcp      374      0 ::ffff:95.211.10.169:80    ::ffff:87.208.191.218:51908 ESTABLISHED
tcp      380      0 ::ffff:95.211.10.169:80    ::ffff:82.236.100.52:3241  ESTABLISHED
tcp      405      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:45525  CLOSE_WAIT 
tcp      405      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:46994  CLOSE_WAIT 
tcp      405      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:48590  CLOSE_WAIT 
tcp      413      0 ::ffff:95.211.10.169:80    ::ffff:71.254.106.108:50578 ESTABLISHED
tcp      417      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:49632  CLOSE_WAIT 
tcp      420      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:55229  CLOSE_WAIT 
tcp      434      0 ::ffff:95.211.10.169:80    ::ffff:92.249.214.140:49432 ESTABLISHED
tcp      445      0 ::ffff:95.211.10.169:80    ::ffff:189.19.6.79:62627    CLOSE_WAIT 
tcp      463      0 ::ffff:95.211.10.169:80    ::ffff:79.47.143.218:1558  ESTABLISHED
tcp      468      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:45015  CLOSE_WAIT 
tcp      468      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:46515  CLOSE_WAIT 
tcp      468      0 ::ffff:95.211.10.169:80    ::ffff:72.30.142.183:48100  CLOSE_WAIT 
tcp      502      0 ::ffff:95.211.10.169:80    ::ffff:85.193.245.38:55076  ESTABLISHED
tcp      506      0 ::ffff:95.211.10.169:80    ::ffff:72.252.26.104:53420  ESTABLISHED
tcp      523      0 ::ffff:95.211.10.169:80    ::ffff:212.175.112.14:53611 CLOSE_WAIT 
tcp      528      0 ::ffff:95.211.10.169:80    ::ffff:24.203.90.163:2290  ESTABLISHED
tcp      529      0 ::ffff:95.211.10.169:80    ::ffff:129.1.31.93:4646    CLOSE_WAIT 
tcp      536      0 ::ffff:95.211.10.169:80    ::ffff:200.77.144.43:42023  ESTABLISHED
tcp      538      0 ::ffff:95.211.10.169:80    ::ffff:87.208.191.218:51909 ESTABLISHED
tcp      547      0 ::ffff:95.211.10.169:80    ::ffff:89.134.70.155:4610  CLOSE_WAIT 
tcp      549      0 ::ffff:95.211.10.169:80    ::ffff:91.150.114.16:11949  ESTABLISHED
tcp      552      0 ::ffff:95.211.10.169:80    ::ffff:201.29.216.114:61179 CLOSE_WAIT 
tcp      553      0 ::ffff:95.211.10.169:80    ::ffff:69.250.23.83:38959  CLOSE_WAIT 
tcp      553      0 ::ffff:95.211.10.169:80    ::ffff:91.150.114.16:11948  ESTABLISHED
tcp      556      0 ::ffff:95.211.10.169:80    ::ffff:24.238.26.131:4387  CLOSE_WAIT 
tcp      556      0 ::ffff:95.211.10.169:80    ::ffff:24.238.26.131:4388  CLOSE_WAIT 
tcp      556      0 ::ffff:95.211.10.169:80    ::ffff:91.150.114.16:11946  ESTABLISHED
tcp      561      0 ::ffff:95.211.10.169:80    ::ffff:91.150.114.16:11945  ESTABLISHED
tcp      565      0 ::ffff:95.211.10.169:80    ::ffff:94.189.144.75:62532  CLOSE_WAIT 
tcp      566      0 ::ffff:95.211.10.169:80    ::ffff:69.250.23.83:39887  CLOSE_WAIT 
tcp      566      0 ::ffff:95.211.10.169:80    ::ffff:71.105.25.22:50343  CLOSE_WAIT 
tcp      569      0 ::ffff:95.211.10.169:80    ::ffff:87.114.146.77:49670  CLOSE_WAIT 
tcp      572      0 ::ffff:95.211.10.169:80    ::ffff:69.250.23.83:36593  CLOSE_WAIT 
tcp      572      0 ::ffff:95.211.10.169:80    ::ffff:69.250.23.83:42953  CLOSE_WAIT 
tcp      572      0 ::ffff:95.211.10.169:80    ::ffff:79.55.86.219:50245  CLOSE_WAIT 
tcp      574      0 ::ffff:95.211.10.169:80    ::ffff:77.51.10.24:46057    CLOSE_WAIT 
tcp      577      0 ::ffff:95.211.10.169:80    ::ffff:87.196.21.10:49359  CLOSE_WAIT 
tcp      583      0 ::ffff:95.211.10.169:80    ::ffff:193.179.147.25:14006 CLOSE_WAIT 
tcp      584      0 ::ffff:95.211.10.169:80    ::ffff:188.48.82.219:49322  CLOSE_WAIT 
tcp      590      0 ::ffff:95.211.10.169:80    ::ffff:120.50.180.171:2153  CLOSE_WAIT 
tcp      604      0 ::ffff:95.211.10.169:80    ::ffff:77.51.10.24:46055    CLOSE_WAIT 
tcp      612      0 ::ffff:95.211.10.169:80    ::ffff:77.51.10.24:46056    CLOSE_WAIT 
tcp      613      0 ::ffff:95.211.10.169:80    ::ffff:86.49.14.151:61271  ESTABLISHED
tcp      620      0 ::ffff:95.211.10.169:80    ::ffff:89.137.146.69:2894  CLOSE_WAIT 
tcp      621      0 ::ffff:95.211.10.169:80    ::ffff:76.225.187.232:61191 ESTABLISHED
tcp      628      0 ::ffff:95.211.10.169:80    ::ffff:189.84.86.105:1599  CLOSE_WAIT 
tcp      628      0 ::ffff:95.211.10.169:80    ::ffff:189.84.86.105:1601  CLOSE_WAIT 
tcp      628      0 ::ffff:95.211.10.169:80    ::ffff:189.84.86.105:1603  CLOSE_WAIT 
tcp      632      0 ::ffff:95.211.10.169:80    ::ffff:41.5.28.26:18778    CLOSE_WAIT 
tcp      634      0 ::ffff:95.211.10.169:80    ::ffff:189.30.226.197:61086 CLOSE_WAIT 
tcp      643      0 ::ffff:95.211.10.169:80    ::ffff:189.123.210.44:4998  CLOSE_WAIT 
tcp      649      0 ::ffff:95.211.10.169:80    ::ffff:24.250.124.104:42269 CLOSE_WAIT 
tcp      651      0 ::ffff:95.211.10.169:80    ::ffff:67.10.160.58:32969  CLOSE_WAIT 
tcp      655      0 ::ffff:95.211.10.169:80    ::ffff:125.165.64.213:1462  CLOSE_WAIT 
tcp      656      0 ::ffff:95.211.10.169:80    ::ffff:201.34.141.37:45240  ESTABLISHED
tcp      661      0 ::ffff:95.211.10.169:80    ::ffff:194.80.32.10:43557  CLOSE_WAIT 
tcp      726      0 ::ffff:95.211.10.169:80    ::ffff:24.177.14.59:1390    CLOSE_WAIT 
tcp      731      0 ::ffff:95.211.10.169:80    ::ffff:200.2.152.130:41983  CLOSE_WAIT 
tcp      733      0 ::ffff:95.211.10.169:80    ::ffff:90.40.196.232:52809  ESTABLISHED
tcp      733      0 ::ffff:95.211.10.169:80    ::ffff:90.40.196.232:52816  ESTABLISHED
tcp      760      0 ::ffff:95.211.10.169:80    ::ffff:74.216.117.95:60982  CLOSE_WAIT 
tcp      763      0 ::ffff:95.211.10.169:80    ::ffff:220.227.41.243:42352 ESTABLISHED
tcp      865      0 ::ffff:95.211.10.169:80    ::ffff:83.103.111.12:2905  ESTABLISHED
tcp      975      0 ::ffff:95.211.10.169:80    ::ffff:82.80.156.64:1263    CLOSE_WAIT

Am i under DDos...Attack ..if so please tell me how to avoid this...

jamescondron 05-29-2009 03:47 PM

Ban the IP for starters

anomie 05-29-2009 03:51 PM

Is this level of traffic unusual for your host? There are only 102 connections (in various states) in the output you posted.

If this is overwhelming your server resources, you're going to need to look at limiting client connections. Which MPM are you using? If you don't know, post the output of:

# httpd -l

salasi 05-29-2009 06:19 PM

Actually, I suspect not. There aren't that many open connections (well, not that many for a DDOS...it could just be an inept DDOS attack, of course) and quite a few of the connections are in '...waiting...' or '...ack...' states.

My suspicion is that there is something not quite right with, eg, the firewall and connections are hanging around in 'part-way-through' states.

Can you have a look and check that the firewall ruleset doesn't have anything suspicious in it?

Of course, you don't want to get complacent and not do anything about it just because it might be something else. If you can't quickly prove that it is something else, for safety, you probably have to assume its a DDOS until proved otherwise.

dheeraj4uuu 05-30-2009 02:02 PM

1 Attachment(s)
Hello,,

Thanks for the replies..

Actully my log is too big of about 500MB and also the connection that i posted are few only...Now attached the full list of about 30KB.can you check it and tell me please..

As every night at 11Pm and morning 5Am my httpd has too many process running on it...and it takes soo much time to login into my ssh at that time...I've checked my access log but i can't figure out whats wrong..can you tell was iam under DDOS attack or not?

dheeraj4uuu 05-30-2009 04:09 PM

Hello,

Here is an update from my error log what i feel suspecious...

Code:

[Thu May 28 00:10:07 2009] [notice] SIGHUP received.  Attempting to restart
[Thu May 28 00:10:08 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:10:08 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:10:08 2009] [notice] Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.9 Mod_Security 2.5.9 enabled configured -- resuming normal operations
[Thu May 28 00:11:01 2009] [notice] caught SIGTERM, shutting down
[Thu May 28 00:11:03 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:11:03 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 28 00:11:03 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:11:03 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Thu May 28 00:11:03 2009] [notice] Original server signature: Apache/2
[Thu May 28 00:11:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:11:04 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:11:04 2009] [notice] Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.9 Mod_Security 2.5.9 enabled configured -- resuming normal operations
[Thu May 28 00:33:46 2009] [error] [client 127.0.0.1] File does not exist: /var/www/html/redir, referer: http://127.0.0.1/
[Thu May 28 00:33:46 2009] [error] [client 127.0.0.1] File does not exist: /var/www/html/404.shtml, referer: http://127.0.0.1/
[Thu May 28 00:42:10 2009] [error] [client 81.172.1.139] File does not exist: /var/www/html/b4g8zp.jpg, referer: http://www.legendarydevils.com/tv-sh...-episodes.html
[Thu May 28 00:42:10 2009] [error] [client 81.172.1.139] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/tv-sh...-episodes.html
[Thu May 28 01:29:28 2009] [error] [client 190.11.65.181] request failed: error reading the headers
[Thu May 28 01:30:21 2009] [error] [client 72.234.148.150] Invalid URI in request HTTP/1.1 200 OK
[Thu May 28 01:30:21 2009] [error] [client 72.234.148.150] File does not exist: /var/www/html/400.shtml
[Thu May 28 01:43:52 2009] [error] [client 87.106.65.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Thu May 28 05:03:27 2009] [error] [client 203.87.176.18] request failed: error reading the headers, referer: http://www.legendarydevils.com/windo...untouched.html
[Thu May 28 07:12:10 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/adserver, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:10 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:12 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/st, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:12 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/utili...eaver-cs4.html

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned
[Thu May 28 07:40:20 2009] [warn] child process 2374 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2746 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2858 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2418 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2474 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2666 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3098 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3102 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2507 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3119 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3139 still did not exit, sending a SIGTERM
.
.
.
.

and a lot of process are there...

anomie 05-30-2009 04:30 PM

@dheeraj4uuu: A simple question for you -- do you want to lower the limit on client connections at the Apache web server level or not? I don't quite follow your analysis, but if you feel restricting client connections is a possible solution, then please post the output of the command I mentioned earlier in the thread.

dheeraj4uuu 05-31-2009 12:20 AM

Hello,

this is the output of the command..

Code:

Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_include.c
  mod_filter.c
  mod_deflate.c
  mod_log_config.c
  mod_logio.c
  mod_env.c
  mod_headers.c
  mod_unique_id.c
  mod_setenvif.c
  mod_proxy.c
  mod_proxy_connect.c
  mod_proxy_ftp.c
  mod_proxy_http.c
  mod_proxy_ajp.c
  mod_proxy_balancer.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_dav.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_suexec.c
  mod_cgi.c
  mod_dav_fs.c
  mod_dav_lock.c
  mod_negotiation.c
  mod_dir.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_so.c

I just want to block the attack thats it..whatever u ask me to do to stop the attack i will do...But 1 thing i get a lot of visitors daily of about 35k....

waiting for repliess

dheeraj4uuu 05-31-2009 12:26 PM

Hello,

Here is

netstat -plan|grep :80 |awk '{print $5}' | awk -F : '{print $(NF-1)}' | sort | uniq -c | sort -n

Code:

  1
      1 117.195.144.84
      1 117.198.160.186
      1 121.97.156.198
      1 123.125.64.49
      1 123.125.66.66
      1 125.24.38.178
      1 125.27.44.255
      1 174.36.52.103
      1 174.36.52.109
      1 174.36.52.110
      1 174.36.52.97
      1 187.14.4.118
      1 187.26.168.43
      1 187.46.168.1
      1 188.27.42.167
      1 189.110.214.46
      1 190.140.72.79
      1 190.212.22.178
      1 194.208.145.12
      1 200.126.220.42
      1 200.79.250.128
      1 201.170.231.19
      1 201.231.225.85
      1 206.172.78.158
      1 208.85.242.212
      1 212.92.30.249
      1 213.22.92.115
      1 213.6.140.227
      1 216.93.128.22
      1 217.230.118.21
      1 219.15.216.46
      1 220.129.79.130
      1 221.137.151.15
      1 24.63.112.224
      1 41.221.19.167
      1 41.238.53.231
      1 58.227.167.246
      1 61.245.53.216
      1 62.163.240.198
      1 62.99.163.106
      1 64.255.180.39
      1 64.27.16.90
      1 65.75.245.106
      1 66.249.67.230
      1 66.249.85.68
      1 67.228.157.56
      1 67.228.157.57
      1 67.80.31.171
      1 68.37.30.126
      1 69.171.162.48
      1 69.65.10.238
      1 71.76.207.32
      1 74.125.75.17
      1 74.210.142.60
      1 77.23.144.89
      1 77.49.70.58
      1 77.99.132.162
      1 78.129.157.190
      1 78.144.236.28
      1 78.144.94.245
      1 78.148.26.135
      1 78.45.3.33
      1 78.86.216.14
      1 79.148.180.52
      1 79.162.240.158
      1 79.175.75.210
      1 79.186.42.218
      1 79.186.65.23
      1 79.89.160.27
      1 80.201.206.118
      1 81.109.18.93
      1 81.19.2.90
      1 81.200.48.115
      1 82.100.0.234
      1 82.2.161.246
      1 82.247.232.148
      1 82.53.14.58
      1 83.134.149.208
      1 83.19.247.146
      1 83.45.38.177
      1 84.152.98.13
      1 84.171.111.208
      1 84.3.144.40
      1 84.72.159.163
      1 85.179.61.247
      1 85.180.232.188
      1 86.156.137.5
      1 87.146.72.25
      1 87.149.231.110
      1 87.16.219.40
      1 87.19.62.135
      1 87.207.205.34
      1 87.4.249.125
      1 88.0.107.229
      1 88.19.139.42
      1 88.209.245.181
      1 88.210.118.18
      1 88.228.151.202
      1 88.70.91.234
      1 89.17.0.102
      1 89.172.120.134
      1 89.235.217.159
      1 89.245.198.73
      1 89.77.155.250
      1 90.151.145.107
      1 90.184.159.93
      1 90.200.121.112
      1 90.55.2.56
      1 91.121.177.44
      1 91.163.31.138
      1 91.205.172.104
      1 92.101.191.158
      1 92.106.48.211
      1 92.236.214.203
      1 92.85.125.157
      1 93.86.181.63
      1 93.96.153.89
      1 94.194.156.177
      1 96.31.65.66
      1 96.31.69.43
      1 96.31.69.56
      1 98.64.112.145
      1 99.242.33.234
      2 122.164.38.112
      2 151.50.44.199
      2 173.64.83.232
      2 174.36.52.101
      2 174.36.52.99
      2 188.3.228.182
      2 195.158.69.231
      2 207.200.116.14
      2 213.222.160.19
      2 67.228.157.58
      2 72.160.57.248
      2 77.49.76.143
      2 79.144.226.230
      2 80.57.35.39
      2 83.12.105.146
      2 83.76.95.234
      2 84.151.238.144
      2 84.192.86.96
      2 85.64.111.21
      2 86.120.92.44
      2 86.96.228.93
      2 87.15.166.73
      2 87.171.183.186
      2 87.205.37.99
      2 90.186.228.40
      2 91.127.89.8
      2 92.229.82.34
      2 93.133.57.214
      2 94.217.251.225
      2 94.222.124.233
      2 94.251.185.244
      2 94.71.175.139
      3 174.36.52.100
      3 174.36.52.102
      3 174.36.52.104
      3 174.36.52.107
      3 174.36.52.96
      3 212.21.233.80
      3 67.228.157.59
      3 75.54.219.44
      3 77.49.70.29
      3 79.14.136.25
      3 81.100.245.153
      3 83.1.68.200
      3 89.39.218.176
      4 65.36.241.79
      4 71.60.228.163
      5 174.36.52.105
      5 79.45.36.123
      5 86.96.227.86
      5 90.179.140.209
      6 210.1.242.106
      6 62.194.13.99
      6 81.105.114.27
      6 84.251.15.71
      7 220.227.15.133
      7 41.238.103.236
      9 93.86.98.23
    12 124.43.233.34

I ran the above command...and now i got this...ami under attack>>?

anomie 05-31-2009 04:07 PM

@dheeraj4uuu: We don't precisely know if you are under attack. You need to be monitoring your server for normal and peak activity, and then pay attention to unusual patterns. What sort of access_log activity do you see from the suspected DDOSers?

You're using the prefok MPM, which you can read about here. If this extra web server activity is causing your server itself to be overwhelmed, I would recommend carefully tweaking the MaxClients directive to something more appropriate.

Note that this is not a silver bullet. It may cause legitimate clients to have to wait (and in really bad cases, time out). But this is the way to reduce the load on your server.


All times are GMT -5. The time now is 09:32 AM.