DDOS attack help me

dheeraj4uuu · 05-29-2009, 02:42 PM

Hello,

My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..

Code:

netstat -an | grep :80 | sort

and the result is this

Code:

tcp        0   1491 ::ffff:95.211.10.169:80     ::ffff:213.215.100.110:2263 LAST_ACK    
tcp        0   1493 ::ffff:95.211.10.169:80     ::ffff:85.207.126.231:52694 LAST_ACK    
tcp        0   1533 ::ffff:95.211.10.169:80     ::ffff:207.54.100.81:1907   LAST_ACK    
tcp        0   1555 ::ffff:95.211.10.169:80     ::ffff:94.216.199.59:49666  LAST_ACK    
tcp        0   1556 ::ffff:95.211.10.169:80     ::ffff:79.199.224.51:1250   LAST_ACK    
tcp        0   1558 ::ffff:95.211.10.169:80     ::ffff:207.219.125.9:4445   LAST_ACK    
tcp        0   1569 ::ffff:95.211.10.169:80     ::ffff:122.161.153.56:2788  LAST_ACK    
tcp        0   1579 ::ffff:95.211.10.169:80     ::ffff:62.31.54.30:50167    LAST_ACK    
tcp        0   1584 ::ffff:95.211.10.169:80     ::ffff:79.101.147.239:54629 LAST_ACK    
tcp        0   1604 ::ffff:95.211.10.169:80     ::ffff:89.132.65.227:4880   LAST_ACK    
tcp        0   1617 ::ffff:95.211.10.169:80     ::ffff:82.25.181.8:4227     LAST_ACK    
tcp        0   1628 ::ffff:95.211.10.169:80     ::ffff:77.46.252.70:2116    LAST_ACK    
tcp        0   1723 ::ffff:95.211.10.169:80     ::ffff:88.178.111.6:3838    LAST_ACK    
tcp        0   3252 ::ffff:95.211.10.169:80     ::ffff:76.120.33.115:4181   LAST_ACK    
tcp      106      0 ::ffff:95.211.10.169:80     ::ffff:174.132.216.26:38244 ESTABLISHED 
tcp      163      0 ::ffff:95.211.10.169:80     ::ffff:193.2.216.130:41690  CLOSE_WAIT  
tcp      164      0 ::ffff:95.211.10.169:80     ::ffff:76.174.2.134:65249   CLOSE_WAIT  
tcp      177      0 ::ffff:95.211.10.169:80     ::ffff:119.63.194.124:46871 CLOSE_WAIT  
tcp      196      0 ::ffff:95.211.10.169:80     ::ffff:77.232.69.160:51396  CLOSE_WAIT  
tcp      213      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.105:38332  CLOSE_WAIT  
tcp      218      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:45186  CLOSE_WAIT  
tcp      218      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:46711  CLOSE_WAIT  
tcp      218      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:47529  CLOSE_WAIT  
tcp      219      0 ::ffff:95.211.10.169:80     ::ffff:67.228.157.57:53628  CLOSE_WAIT  
tcp      225      0 ::ffff:95.211.10.169:80     ::ffff:75.7.19.214:61179    CLOSE_WAIT  
tcp      226      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.109:57823  CLOSE_WAIT  
tcp      226      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.98:45852   CLOSE_WAIT  
tcp      228      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.98:32786   CLOSE_WAIT  
tcp      231      0 ::ffff:95.211.10.169:80     ::ffff:75.37.34.143:50308   CLOSE_WAIT  
tcp      247      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.110:35686  CLOSE_WAIT  
tcp      253      0 ::ffff:95.211.10.169:80     ::ffff:75.37.34.143:50198   CLOSE_WAIT  
tcp      253      0 ::ffff:95.211.10.169:80     ::ffff:97.74.24.1:34023     CLOSE_WAIT  
tcp      275      0 ::ffff:95.211.10.169:80     ::ffff:66.249.68.230:33723  CLOSE_WAIT  
tcp      332      0 ::ffff:95.211.10.169:80     ::ffff:74.55.61.2:3147      CLOSE_WAIT  
tcp      367      0 ::ffff:95.211.10.169:80     ::ffff:213.55.78.183:38888  ESTABLISHED 
tcp      368      0 ::ffff:95.211.10.169:80     ::ffff:93.86.209.115:58909  CLOSE_WAIT  
tcp      374      0 ::ffff:95.211.10.169:80     ::ffff:87.208.191.218:51908 ESTABLISHED 
tcp      380      0 ::ffff:95.211.10.169:80     ::ffff:82.236.100.52:3241   ESTABLISHED 
tcp      405      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:45525  CLOSE_WAIT  
tcp      405      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:46994  CLOSE_WAIT  
tcp      405      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:48590  CLOSE_WAIT  
tcp      413      0 ::ffff:95.211.10.169:80     ::ffff:71.254.106.108:50578 ESTABLISHED 
tcp      417      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:49632  CLOSE_WAIT  
tcp      420      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:55229  CLOSE_WAIT  
tcp      434      0 ::ffff:95.211.10.169:80     ::ffff:92.249.214.140:49432 ESTABLISHED 
tcp      445      0 ::ffff:95.211.10.169:80     ::ffff:189.19.6.79:62627    CLOSE_WAIT  
tcp      463      0 ::ffff:95.211.10.169:80     ::ffff:79.47.143.218:1558   ESTABLISHED 
tcp      468      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:45015  CLOSE_WAIT  
tcp      468      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:46515  CLOSE_WAIT  
tcp      468      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:48100  CLOSE_WAIT  
tcp      502      0 ::ffff:95.211.10.169:80     ::ffff:85.193.245.38:55076  ESTABLISHED 
tcp      506      0 ::ffff:95.211.10.169:80     ::ffff:72.252.26.104:53420  ESTABLISHED 
tcp      523      0 ::ffff:95.211.10.169:80     ::ffff:212.175.112.14:53611 CLOSE_WAIT  
tcp      528      0 ::ffff:95.211.10.169:80     ::ffff:24.203.90.163:2290   ESTABLISHED 
tcp      529      0 ::ffff:95.211.10.169:80     ::ffff:129.1.31.93:4646     CLOSE_WAIT  
tcp      536      0 ::ffff:95.211.10.169:80     ::ffff:200.77.144.43:42023  ESTABLISHED 
tcp      538      0 ::ffff:95.211.10.169:80     ::ffff:87.208.191.218:51909 ESTABLISHED 
tcp      547      0 ::ffff:95.211.10.169:80     ::ffff:89.134.70.155:4610   CLOSE_WAIT  
tcp      549      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11949  ESTABLISHED 
tcp      552      0 ::ffff:95.211.10.169:80     ::ffff:201.29.216.114:61179 CLOSE_WAIT  
tcp      553      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:38959   CLOSE_WAIT  
tcp      553      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11948  ESTABLISHED 
tcp      556      0 ::ffff:95.211.10.169:80     ::ffff:24.238.26.131:4387   CLOSE_WAIT  
tcp      556      0 ::ffff:95.211.10.169:80     ::ffff:24.238.26.131:4388   CLOSE_WAIT  
tcp      556      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11946  ESTABLISHED 
tcp      561      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11945  ESTABLISHED 
tcp      565      0 ::ffff:95.211.10.169:80     ::ffff:94.189.144.75:62532  CLOSE_WAIT  
tcp      566      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:39887   CLOSE_WAIT  
tcp      566      0 ::ffff:95.211.10.169:80     ::ffff:71.105.25.22:50343   CLOSE_WAIT  
tcp      569      0 ::ffff:95.211.10.169:80     ::ffff:87.114.146.77:49670  CLOSE_WAIT  
tcp      572      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:36593   CLOSE_WAIT  
tcp      572      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:42953   CLOSE_WAIT  
tcp      572      0 ::ffff:95.211.10.169:80     ::ffff:79.55.86.219:50245   CLOSE_WAIT  
tcp      574      0 ::ffff:95.211.10.169:80     ::ffff:77.51.10.24:46057    CLOSE_WAIT  
tcp      577      0 ::ffff:95.211.10.169:80     ::ffff:87.196.21.10:49359   CLOSE_WAIT  
tcp      583      0 ::ffff:95.211.10.169:80     ::ffff:193.179.147.25:14006 CLOSE_WAIT  
tcp      584      0 ::ffff:95.211.10.169:80     ::ffff:188.48.82.219:49322  CLOSE_WAIT  
tcp      590      0 ::ffff:95.211.10.169:80     ::ffff:120.50.180.171:2153  CLOSE_WAIT  
tcp      604      0 ::ffff:95.211.10.169:80     ::ffff:77.51.10.24:46055    CLOSE_WAIT  
tcp      612      0 ::ffff:95.211.10.169:80     ::ffff:77.51.10.24:46056    CLOSE_WAIT  
tcp      613      0 ::ffff:95.211.10.169:80     ::ffff:86.49.14.151:61271   ESTABLISHED 
tcp      620      0 ::ffff:95.211.10.169:80     ::ffff:89.137.146.69:2894   CLOSE_WAIT  
tcp      621      0 ::ffff:95.211.10.169:80     ::ffff:76.225.187.232:61191 ESTABLISHED 
tcp      628      0 ::ffff:95.211.10.169:80     ::ffff:189.84.86.105:1599   CLOSE_WAIT  
tcp      628      0 ::ffff:95.211.10.169:80     ::ffff:189.84.86.105:1601   CLOSE_WAIT  
tcp      628      0 ::ffff:95.211.10.169:80     ::ffff:189.84.86.105:1603   CLOSE_WAIT  
tcp      632      0 ::ffff:95.211.10.169:80     ::ffff:41.5.28.26:18778     CLOSE_WAIT  
tcp      634      0 ::ffff:95.211.10.169:80     ::ffff:189.30.226.197:61086 CLOSE_WAIT  
tcp      643      0 ::ffff:95.211.10.169:80     ::ffff:189.123.210.44:4998  CLOSE_WAIT  
tcp      649      0 ::ffff:95.211.10.169:80     ::ffff:24.250.124.104:42269 CLOSE_WAIT  
tcp      651      0 ::ffff:95.211.10.169:80     ::ffff:67.10.160.58:32969   CLOSE_WAIT  
tcp      655      0 ::ffff:95.211.10.169:80     ::ffff:125.165.64.213:1462  CLOSE_WAIT  
tcp      656      0 ::ffff:95.211.10.169:80     ::ffff:201.34.141.37:45240  ESTABLISHED 
tcp      661      0 ::ffff:95.211.10.169:80     ::ffff:194.80.32.10:43557   CLOSE_WAIT  
tcp      726      0 ::ffff:95.211.10.169:80     ::ffff:24.177.14.59:1390    CLOSE_WAIT  
tcp      731      0 ::ffff:95.211.10.169:80     ::ffff:200.2.152.130:41983  CLOSE_WAIT  
tcp      733      0 ::ffff:95.211.10.169:80     ::ffff:90.40.196.232:52809  ESTABLISHED 
tcp      733      0 ::ffff:95.211.10.169:80     ::ffff:90.40.196.232:52816  ESTABLISHED 
tcp      760      0 ::ffff:95.211.10.169:80     ::ffff:74.216.117.95:60982  CLOSE_WAIT  
tcp      763      0 ::ffff:95.211.10.169:80     ::ffff:220.227.41.243:42352 ESTABLISHED 
tcp      865      0 ::ffff:95.211.10.169:80     ::ffff:83.103.111.12:2905   ESTABLISHED 
tcp      975      0 ::ffff:95.211.10.169:80     ::ffff:82.80.156.64:1263    CLOSE_WAIT

Am i under DDos...Attack ..if so please tell me how to avoid this...

jamescondron · 05-29-2009, 02:47 PM

Ban the IP for starters

anomie · 05-29-2009, 02:51 PM

Is this level of traffic unusual for your host? There are only 102 connections (in various states) in the output you posted.

If this is overwhelming your server resources, you're going to need to look at limiting client connections. Which MPM are you using? If you don't know, post the output of:

# httpd -l

salasi · 05-29-2009, 05:19 PM

Actually, I suspect not. There aren't that many open connections (well, not that many for a DDOS...it could just be an inept DDOS attack, of course) and quite a few of the connections are in '...waiting...' or '...ack...' states.

My suspicion is that there is something not quite right with, eg, the firewall and connections are hanging around in 'part-way-through' states.

Can you have a look and check that the firewall ruleset doesn't have anything suspicious in it?

Of course, you don't want to get complacent and not do anything about it just because it might be something else. If you can't quickly prove that it is something else, for safety, you probably have to assume its a DDOS until proved otherwise.

dheeraj4uuu · 05-30-2009, 01:02 PM

Hello,,

Thanks for the replies..

Actully my log is too big of about 500MB and also the connection that i posted are few only...Now attached the full list of about 30KB.can you check it and tell me please..

As every night at 11Pm and morning 5Am my httpd has too many process running on it...and it takes soo much time to login into my ssh at that time...I've checked my access log but i can't figure out whats wrong..can you tell was iam under DDOS attack or not?

dheeraj4uuu · 05-30-2009, 03:09 PM

Hello,

Here is an update from my error log what i feel suspecious...

Code:

[Thu May 28 00:10:07 2009] [notice] SIGHUP received.  Attempting to restart
[Thu May 28 00:10:08 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:10:08 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:10:08 2009] [notice] Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.9 Mod_Security 2.5.9 enabled configured -- resuming normal operations
[Thu May 28 00:11:01 2009] [notice] caught SIGTERM, shutting down
[Thu May 28 00:11:03 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:11:03 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 28 00:11:03 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:11:03 2009] [notice] ModSecurity for Apache/2.5.9 (http://www.modsecurity.org/) configured.
[Thu May 28 00:11:03 2009] [notice] Original server signature: Apache/2
[Thu May 28 00:11:04 2009] [warn] RSA server certificate CommonName (CN) `localhost' does NOT match server name!?
[Thu May 28 00:11:04 2009] [error] SecServerSignature: original signature too short. Please set ServerTokens to Full.
[Thu May 28 00:11:04 2009] [notice] Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 DAV/2 PHP/5.2.9 Mod_Security 2.5.9 enabled configured -- resuming normal operations
[Thu May 28 00:33:46 2009] [error] [client 127.0.0.1] File does not exist: /var/www/html/redir, referer: http://127.0.0.1/
[Thu May 28 00:33:46 2009] [error] [client 127.0.0.1] File does not exist: /var/www/html/404.shtml, referer: http://127.0.0.1/
[Thu May 28 00:42:10 2009] [error] [client 81.172.1.139] File does not exist: /var/www/html/b4g8zp.jpg, referer: http://www.legendarydevils.com/tv-sh...-episodes.html
[Thu May 28 00:42:10 2009] [error] [client 81.172.1.139] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/tv-sh...-episodes.html
[Thu May 28 01:29:28 2009] [error] [client 190.11.65.181] request failed: error reading the headers
[Thu May 28 01:30:21 2009] [error] [client 72.234.148.150] Invalid URI in request HTTP/1.1 200 OK
[Thu May 28 01:30:21 2009] [error] [client 72.234.148.150] File does not exist: /var/www/html/400.shtml
[Thu May 28 01:43:52 2009] [error] [client 87.106.65.228] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Thu May 28 05:03:27 2009] [error] [client 203.87.176.18] request failed: error reading the headers, referer: http://www.legendarydevils.com/windo...untouched.html
[Thu May 28 07:12:10 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/adserver, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:10 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:12 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/st, referer: http://www.legendarydevils.com/utili...eaver-cs4.html
[Thu May 28 07:12:12 2009] [error] [client 41.174.14.232] File does not exist: /var/www/html/404.shtml, referer: http://www.legendarydevils.com/utili...eaver-cs4.html

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned

exim: SIGTERM received - message abandoned
[Thu May 28 07:40:20 2009] [warn] child process 2374 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2746 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2858 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2418 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2474 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2666 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3098 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3102 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 2507 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3119 still did not exit, sending a SIGTERM
[Thu May 28 07:40:20 2009] [warn] child process 3139 still did not exit, sending a SIGTERM
.
.
.
.

and a lot of process are there...

anomie · 05-30-2009, 03:30 PM

@dheeraj4uuu: A simple question for you -- do you want to lower the limit on client connections at the Apache web server level or not? I don't quite follow your analysis, but if you feel restricting client connections is a possible solution, then please post the output of the command I mentioned earlier in the thread.

dheeraj4uuu · 05-30-2009, 11:20 PM

Hello,

this is the output of the command..

Code:

Compiled in modules:
  core.c
  mod_authn_file.c
  mod_authn_default.c
  mod_authz_host.c
  mod_authz_groupfile.c
  mod_authz_user.c
  mod_authz_default.c
  mod_auth_basic.c
  mod_include.c
  mod_filter.c
  mod_deflate.c
  mod_log_config.c
  mod_logio.c
  mod_env.c
  mod_headers.c
  mod_unique_id.c
  mod_setenvif.c
  mod_proxy.c
  mod_proxy_connect.c
  mod_proxy_ftp.c
  mod_proxy_http.c
  mod_proxy_ajp.c
  mod_proxy_balancer.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_dav.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_suexec.c
  mod_cgi.c
  mod_dav_fs.c
  mod_dav_lock.c
  mod_negotiation.c
  mod_dir.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_so.c

I just want to block the attack thats it..whatever u ask me to do to stop the attack i will do...But 1 thing i get a lot of visitors daily of about 35k....

waiting for repliess

dheeraj4uuu · 05-31-2009, 11:26 AM

Hello,

Here is

netstat -plan|grep :80 |awk '{print $5}' | awk -F : '{print $(NF-1)}' | sort | uniq -c | sort -n

Code:

  1 
      1 117.195.144.84
      1 117.198.160.186
      1 121.97.156.198
      1 123.125.64.49
      1 123.125.66.66
      1 125.24.38.178
      1 125.27.44.255
      1 174.36.52.103
      1 174.36.52.109
      1 174.36.52.110
      1 174.36.52.97
      1 187.14.4.118
      1 187.26.168.43
      1 187.46.168.1
      1 188.27.42.167
      1 189.110.214.46
      1 190.140.72.79
      1 190.212.22.178
      1 194.208.145.12
      1 200.126.220.42
      1 200.79.250.128
      1 201.170.231.19
      1 201.231.225.85
      1 206.172.78.158
      1 208.85.242.212
      1 212.92.30.249
      1 213.22.92.115
      1 213.6.140.227
      1 216.93.128.22
      1 217.230.118.21
      1 219.15.216.46
      1 220.129.79.130
      1 221.137.151.15
      1 24.63.112.224
      1 41.221.19.167
      1 41.238.53.231
      1 58.227.167.246
      1 61.245.53.216
      1 62.163.240.198
      1 62.99.163.106
      1 64.255.180.39
      1 64.27.16.90
      1 65.75.245.106
      1 66.249.67.230
      1 66.249.85.68
      1 67.228.157.56
      1 67.228.157.57
      1 67.80.31.171
      1 68.37.30.126
      1 69.171.162.48
      1 69.65.10.238
      1 71.76.207.32
      1 74.125.75.17
      1 74.210.142.60
      1 77.23.144.89
      1 77.49.70.58
      1 77.99.132.162
      1 78.129.157.190
      1 78.144.236.28
      1 78.144.94.245
      1 78.148.26.135
      1 78.45.3.33
      1 78.86.216.14
      1 79.148.180.52
      1 79.162.240.158
      1 79.175.75.210
      1 79.186.42.218
      1 79.186.65.23
      1 79.89.160.27
      1 80.201.206.118
      1 81.109.18.93
      1 81.19.2.90
      1 81.200.48.115
      1 82.100.0.234
      1 82.2.161.246
      1 82.247.232.148
      1 82.53.14.58
      1 83.134.149.208
      1 83.19.247.146
      1 83.45.38.177
      1 84.152.98.13
      1 84.171.111.208
      1 84.3.144.40
      1 84.72.159.163
      1 85.179.61.247
      1 85.180.232.188
      1 86.156.137.5
      1 87.146.72.25
      1 87.149.231.110
      1 87.16.219.40
      1 87.19.62.135
      1 87.207.205.34
      1 87.4.249.125
      1 88.0.107.229
      1 88.19.139.42
      1 88.209.245.181
      1 88.210.118.18
      1 88.228.151.202
      1 88.70.91.234
      1 89.17.0.102
      1 89.172.120.134
      1 89.235.217.159
      1 89.245.198.73
      1 89.77.155.250
      1 90.151.145.107
      1 90.184.159.93
      1 90.200.121.112
      1 90.55.2.56
      1 91.121.177.44
      1 91.163.31.138
      1 91.205.172.104
      1 92.101.191.158
      1 92.106.48.211
      1 92.236.214.203
      1 92.85.125.157
      1 93.86.181.63
      1 93.96.153.89
      1 94.194.156.177
      1 96.31.65.66
      1 96.31.69.43
      1 96.31.69.56
      1 98.64.112.145
      1 99.242.33.234
      2 122.164.38.112
      2 151.50.44.199
      2 173.64.83.232
      2 174.36.52.101
      2 174.36.52.99
      2 188.3.228.182
      2 195.158.69.231
      2 207.200.116.14
      2 213.222.160.19
      2 67.228.157.58
      2 72.160.57.248
      2 77.49.76.143
      2 79.144.226.230
      2 80.57.35.39
      2 83.12.105.146
      2 83.76.95.234
      2 84.151.238.144
      2 84.192.86.96
      2 85.64.111.21
      2 86.120.92.44
      2 86.96.228.93
      2 87.15.166.73
      2 87.171.183.186
      2 87.205.37.99
      2 90.186.228.40
      2 91.127.89.8
      2 92.229.82.34
      2 93.133.57.214
      2 94.217.251.225
      2 94.222.124.233
      2 94.251.185.244
      2 94.71.175.139
      3 174.36.52.100
      3 174.36.52.102
      3 174.36.52.104
      3 174.36.52.107
      3 174.36.52.96
      3 212.21.233.80
      3 67.228.157.59
      3 75.54.219.44
      3 77.49.70.29
      3 79.14.136.25
      3 81.100.245.153
      3 83.1.68.200
      3 89.39.218.176
      4 65.36.241.79
      4 71.60.228.163
      5 174.36.52.105
      5 79.45.36.123
      5 86.96.227.86
      5 90.179.140.209
      6 210.1.242.106
      6 62.194.13.99
      6 81.105.114.27
      6 84.251.15.71
      7 220.227.15.133
      7 41.238.103.236
      9 93.86.98.23
     12 124.43.233.34

I ran the above command...and now i got this...ami under attack>>?

anomie · 05-31-2009, 03:07 PM

@dheeraj4uuu: We don't precisely know if you are under attack. You need to be monitoring your server for normal and peak activity, and then pay attention to unusual patterns. What sort of access_log activity do you see from the suspected DDOSers?

You're using the prefok MPM, which you can read about here. If this extra web server activity is causing your server itself to be overwhelmed, I would recommend carefully tweaking the MaxClients directive to something more appropriate.

Note that this is not a silver bullet. It may cause legitimate clients to have to wait (and in really bad cases, time out). But this is the way to reduce the load on your server.