Is My Server Under DdOS attack. please help. :(
I am a newbie on linux and its management, im learning. I have a server and i think that my server is under Ddos attack. i see that server is not having much load and only few process runs but my site opens very slow.
i executed the following command on my ssh: Code:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail Code:
root@server [~]# netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail also tell me what steps should i take to stop Ddos on my server. |
I would advice you to run a firewall on the server. And if you already have one running, then the logs from the firewall is what you should be examening.
Netstat does not give useful info on attacks, it's just info on active and closing/terminating connections, it does not have any kind of history. What you are interested in, for example, is how many connection attempts has there been on port x the last minute/hour/day. Only a firewall can give you that. Well, a packet sniffer also could do the job, but it's really the job of a decent firewall. Another thing you can try, is to see what process is slowing the machine down. It could be that some service is draining the cpu, and then it might be as easy as restarting or stopping that service. Running "top" in a terminal may give a hint of what is using the cpu. |
Quote:
When you say it is a server, do you mean that it is a webserver (eg, Apache or something similar, plus whatever else needed to serve nicely formatted webpages, like a CMS?)? Quote:
Quote:
We really need some good information from you:
|
Quote:
1. Server is hosting few websites. 2. I dont say server running slow, actually the sites are opening damn slow. also i dont see any process on my TOP but still my site is down. my cpu load is less than 0.30, but still site opens slow. and when ever i reboot my webserver (httpd) frm whm then the site opens fine for about 5 mins then again starts to load slow. 3. i suppose there are many connections, is there any command by which i can find how many connections are there. 4. My cpu specs are: Quote:
It cant be network latency in our region because if i reboot the httpd the sites starts to load fine. eg site: bindas.tk 6. Here is a preview of top: Quote:
Quote:
|
Quote:
DDoS activity usually results in the system tanking due to it having issues attempting to track thousands+ of alerts. Let's say a system that was being DDoSed was restarted. When a system restarts, everything is reinitialized, including connection tracking. So, of course, a check of resources immediately after a reboot won't be the same as a check of resources after 10 or so minutes of DDoS activity. Your explanation doesn't mean a thing, IMO. The only thing that backs you up at this point is the fact that top isn't showing any resource spikes, which also means nothing. Quote:
This tells me that you're possibly experiencing an application issue, but you did know that one IP/host can DoS a computer, right? A host can send a specially crafted packet to another system which would make that remote system gag on the packet, which may hose the whole system or hog enough resources to where that remote system can't do anything else. That's pretty much a denial of service. Again, your issue might not be DDoS-related...it may certainly be DoS-related, though. So, we're back to square one. What you think is a DDoS is almost certainly not, but you might be experiencing some type of DoS, or you've an issue with one of your apps (misconfiguration that the system is choking on or that someone is attempting to take advantage of) Now, check this link and use it to determine the state of integrity of your host. This is the US CERT's Intrusion Detection Checklist. There's also a massive LQ Security Resources thread here. Use this (maybe after you've fixed your current issue) to establish an integrity baseline for your machine(s). You need to find out the who, what, when, where, why, and how, if you think your box is being defiled or impeded. Start with your system logs, your application logs (definitely check Apache). You can run a sniffer on a temporary basis just so you can better see what's going on...I believe a sniffer will be a better resource than any FW log. A FW log will point you in a direction. A sniffer log, depending on how you've configured it, will tell you everything a FW log will, in addition to Layer-7 information (which a FW won't be able to do unless it has true IPS functionality). Lastly, quit restarting your host. Restarting plays havoc with the system's audit trail. If you're restarting, you're wiping away traces of evidence that may not have yet made it to a logfile. |
i was wondering if my apache configuration is causing this kind of problem....
can this be the issue... that my apache + php compile is causing this.... |
A quick way to detect if it really is a network problem, is to unplug the network cable, and access one of your sites from the server itself (with wget).
If it responds at once, it is an indication that some network problem exists, but still it's no guarantee that it is an attack. It may be several other things going on on your LAN, a runaway workstation, etc. Code:
wget -O- http://yoursite |
All times are GMT -5. The time now is 07:30 PM. |