What I need to help me do the analysis and tell me what else I can check the access_l

fabi_aldana · 04-29-2010, 08:32 AM

My server failure and want to know if it was an attack, what type and from where. This is the information I get the message file
Mar 14 04:14:31 vmhttpd1 syslogd 1.4.1: restart.
Mar 14 14:32:50 vmhttpd1 collectd[3309]: apache: curl_easy_perform failed: couldn't connect to host
Mar 14 14:32:50 vmhttpd1 collectd[3309]: read-function of plugin `apache' failed. Will suspend it for 10 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: connect failed: Connection refused
Mar 14 15:14:21 vmhttpd1 collectd[3309]: apcups plugin: Connecting to the apcupsd failed.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: hddtemp plugin: connect (127.0.0.1, 7634) failed: Connection refused
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `apcups' failed. Will suspend it for 81920 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: hddtemp plugin: Could not connect to daemon.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `hddtemp' failed. Will suspend it for 81920 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: mbmon: connect (127.0.0.1, 411): Connection refused
Mar 14 15:14:21 vmhttpd1 collectd[3309]: mbmon: Could not connect to daemon.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `mbmon' failed. Will suspend it for 81920 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: multimeter plugin: swrite failed.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `multimeter' failed. Will suspend it for 81920 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: recv(2) failed: Connection refused
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `ntpd' failed. Will suspend it for 81920 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: vserver plugin: fopen (/proc/virtual): No such file or directory
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `wireless' failed. Will suspend it for 81920 seconds.
Mar 14 15:14:21 vmhttpd1 collectd[3309]: read-function of plugin `vserver' failed. Will suspend it for 81920 seconds.
Mar 14 15:16:51 vmhttpd1 collectd[3309]: memcached: Error reading from socket: Connection refused

Inside this file I get the following
Mar 14 16:24:55 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:26:49 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:30:44 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:32:10 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:34:23 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:36:07 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:37:20 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:38:27 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:41:57 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:44:49 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:46:13 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:14:18 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:15:34 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:16:53 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:18:05 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:19:08 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:20:09 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:21:12 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:22:18 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:23:35 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:27:15 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:28:19 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 17:29:21 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.

unSpawn · 04-30-2010, 03:30 AM

Quote:

Originally Posted by fabi_aldana

Code:

Mar 14 14:32:50	vmhttpd1 collectd[3309]: apache: curl_easy_perform failed: couldn't connect to host
Mar 14 14:32:50	vmhttpd1 collectd[3309]: read-function of plugin `apache' failed. Will suspend it for 10 seconds.
Mar 14 15:14:21	vmhttpd1 collectd[3309]: connect failed: Connection refused

Note the process in question is collectd, the statistics package daemon. Apparently it wasn't able to connect to your webserver. From these lines it is however not clear if it is a remote web server or a local one and what the cause for failure was.

Quote:

Originally Posted by fabi_aldana

Inside this file I get the following

Code:

Mar 14 16:24:55	vmhttpd1 kernel: possible SYN flooding on port 80. Sending cookies.

See 4.17.2 Configuring syncookies (and reference) for a basic understanding of SYN cookies. Basically when it is enabled protection will kick in when the table with half-open SYN connections fills up.

Quote:

Originally Posted by fabi_aldana

want to know if it was an attack, what type and from where.

It may have been an attack but your log excerpts only indicate a large amount of HTTP requests. Where the requests originate from or if they are not valid for your hosted content does not show from your logs: see your web servers access_log and error_log. Whether these requests are spoofed or invalid at the TCP/IP level can not be gathered from your logs: only if you have the appropriate ruleset (dropping bogons and invalid packets) and related logging rules enabled they would show in syslog.

fabi_aldana · 05-01-2010, 11:20 PM

Ok, but I have another doubt, The server had a maxclient 17000, these are the results of access_log attack was apparently not then, right?
Hours Hits
13:00-13:59 397
11:00-11:59 418
12:00-12:59 432
14:00-14:59 511
10:00-10:59 1754
00:00-00:59 4267
01:00-01:59 4459
09:00-09:59 5872
08:00-08:59 9741
06:00-06:59 9987
07:00-07:59 10039
05:00-05:59 10067
04:00-04:59 10105
03:00-03:59 10258
20:00-20:74 19566
02:00-02:59 20342
15:00-15:59 200894
16:00-16:59 609544
17:00-17:59 610313
18:00-18:72 648812
19:00-19:73 651371
Statistics - Status Codes
Date 1xx 2xx 3xx 4xx 5xx
14/03/2010 0 2097534 660573 2076 78966
Statistics - File Types
Date ROOT PHP HTML JS
14/03/2010 108201 15489 22247 411237

Statistics - Total Bandwidth
14/03/2010 2469 MB

fabi_aldana · 05-01-2010, 11:24 PM

This means that you configure in the server the syncookies

Mar 14 16:24:55 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:26:49 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies.
Mar 14 16:30:44 vmhttpd1 kernel: possibl e SYN flooding on port 80. Sending cookies

unSpawn · 05-02-2010, 06:04 PM

I'm sorry to say but you haven't posted anything that helps me to help you.