how to analyze a DOS attack?

Discussion in 'Server Operation' started by Ovidiu, Jan 23, 2012.

  1. Ovidiu

    Ovidiu Active Member

    I think some script kiddie or similar is having fun targeting my server. happened about 3 times in the last 3 weeks. server would come to a stand still and all I can still see is that all 4GB of RAM is begin used and about 5GB of swapping done. countless apache2 threads and php-cgi processes. Munin show a huge spike in traffic.
    everything is becoming so slow that only a reboot can help.

    now how would I analyze my log files to see which site was being targeted and which IP or IPs the attack came from?

    can one use some iptables rules to block i.e. incoming packets from any IPs that are asking for a site too often, within certain limits?

    I did a search for some tools and found these 3

    but do I really need something like that?

    I already added mod_dosevasive but that won't help that much since the apache and php_cgi processes still get spawned even though the visitor gets a 403 error he has still kept my server busy.

    any advice and help here?
  2. Ovidiu

    Ovidiu Active Member

    I have done some reading and I think I am looking for a cross between Fail2ban and mod_dosevasive.

    Any advice for me pelase?

Share This Page