[Wylug-discuss] Linux server assistance

Paul Branston apbran at rannoch.demon.co.uk
Tue Nov 6 07:00:00 UTC 2012


I would run something every minute into a file with some time stamps to count the number of connections coming from the same IP hoping that if it is a DoS attack its not distributed from several sources.

Try something like,
 Netstat  -nut | awk '{print $5}'| cut -d: -f1|sort|uniq -c

Hopefully that gives you a clue of the concentration of connections when it starts going pear shaped. The problem is that when it happens the box may have its process table so full it can't fork any more connections and the script won't run.



On 5 Nov 2012, at 20:14, Lee Evans <lee at leeevans.org> wrote:

> Hi all,
>  
> We have a client with a linux web server (apache, mysql, php) running some wordpress sites.
>  
> They are a relatively high volume site.
>  
> We have been having some trouble with outages, which I suspect  to be due to load (and possibly malicious at that) issues.
>  
> The server locks up or grinds to a halt, there are far more httpd processes running than normal yet the usage stats suggest that there aren’t many live users.
>  
> My personal suspicion given the symptoms is a targeted DDoS attack using some sort of SYN flood to open too many connections which have a dead end.
>  
> Is there anyone out there that would be interested in helping us get to the bottom of this?
>  
> It’s beyond our skill set with general server / apache installation and maintenance.
>  
> Thanks
> Lee
>  
>  
>  
> _______________________________________________
> Wylug-discuss mailing list
> Wylug-discuss at wylug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/wylug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wylug-discuss/attachments/20121106/f13bc962/attachment.html>


More information about the Wylug-discuss mailing list