am I being DDoS-ed ??

Discussion in 'General' started by pakogah, Jul 9, 2008.

  1. pakogah

    pakogah New Member

    it happen lately these days, my user complain can't access his site, and when I check I can't also, tried ssh to server can't, but I can the server properly, no time out..

    and then after I can login to server via ssh, I just stay there and doing netstat randomly while opening the site on my browser.. and when the time I can't access the site, I tried to check how many connection opened (netstat -an) it has slow response, and result were displayed later. and when the result came up, I found many connection thru port 80 from the same IP but already close_wait... (see below)

    my question, am I being DDoS-ed?? if so how do I prevent it.
    ps: I have installed Blockhost..

    thank before.

    Code:
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:66.249.70.92:55089   CLOSE_WAIT  15781/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:39846     CLOSE_WAIT  15782/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:66.249.70.92:39190   CLOSE_WAIT  15990/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:60557     CLOSE_WAIT  15786/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:46049     CLOSE_WAIT  15995/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:66.249.70.92:56390   CLOSE_WAIT  15992/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:48077     CLOSE_WAIT  6252/httpd
    tcp        0      0 ::ffff:10.10.48.232:22      ::ffff:10.10.105.181:4480   ESTALISHED 18532/0
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:10.10.105.181:4517   CLOSE_WAIT  25432/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:52498     CLOSE_WAIT  15788/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:66.249.70.92:40852   CLOSE_WAIT  15994/httpd
    tcp        0      0 ::ffff:10.10.48.232:80      ::ffff:10.10.105.181:4524   ESTALISHED 15783/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:10.10.105.181:4521   CLOSE_WAIT  15965/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:37391     CLOSE_WAIT  20978/httpd
    tcp        0      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:40554     CLOSE_WAIT  15969/httpd
    tcp        1      0 ::ffff:10.10.48.232:80      ::ffff:74.6.8.106:44626     CLOSE_WAIT  16006/httpd
    tcp      279      0 ::ffff:10.10.48.232:80      ::ffff:66.249.70.92:58074   ESTALISHED -
     
  2. falko

    falko Super Moderator ISPConfig Developer

    10.10.48.232 is a local IP address from your LAN...
     
  3. pakogah

    pakogah New Member

    correct, 10.10.48.232 is my box which NAT'ed by router with public IP.
    I just curious why when these 2 IPs connect to port 80 (66.249.70.92, 74.6.8.106) how come my box became not responding. (I cant access to port 80 and 22)..

    that's all.... but with new version of Centos and ispconfig available. I'll upgrade my box and hopefully this case wont happen again
    ________
    Vapolution
     
    Last edited: Feb 18, 2011
  4. falko

    falko Super Moderator ISPConfig Developer

  5. pakogah

    pakogah New Member

    after checking my server console, I found error that my server is not enough memory, and killing some process belong to httpd and mysqld. I have 640MB Memory and 1GB swap on my primary server. is that not enough ??

    http://www.howtoforge.com/forums/showpost.php?p=135001&postcount=5

    hosting 22 sites (all of them using mysql DBs - for Wordpress and Joomla)
    ________
    CR250M
     
    Last edited: Feb 18, 2011
  6. falko

    falko Super Moderator ISPConfig Developer

    I think you should try to optimize Apache and MySQL. Are you using a PHP cache such as eAccelerator or Xcache? If not, you should definitely install one.
     
  7. pakogah

    pakogah New Member

    i'll install php eAccelator and try to configure mysql... but to optimize apache?? I never do that...

    but thanks for the tips..
    :D
    ________
    E23
     
    Last edited: Feb 18, 2011
  8. pakogah

    pakogah New Member

Share This Page