[Wylug-discuss] Linux server assistance
Lee Evans
lee at leeevans.org
Tue Nov 6 08:48:44 UTC 2012
Thanks Paul that’s a nice command and a good idea – I’ll do just that and see where we get to.
Thanks
lee
From: Paul Branston [mailto:apbran at rannoch.demon.co.uk]
Sent: 06 November 2012 07:03
To: Lee Evans
Cc: <wylug-discuss at wylug.org.uk>
Subject: Re: [Wylug-discuss] Linux server assistance
I would run something every minute into a file with some time stamps to count the number of connections coming from the same IP hoping that if it is a DoS attack its not distributed from several sources.
Try something like,
Netstat -nut | awk '{print $5}'| cut -d: -f1|sort|uniq -c
Hopefully that gives you a clue of the concentration of connections when it starts going pear shaped. The problem is that when it happens the box may have its process table so full it can't fork any more connections and the script won't run.
On 5 Nov 2012, at 20:14, Lee Evans <lee at leeevans.org> wrote:
Hi all,
We have a client with a linux web server (apache, mysql, php) running some wordpress sites.
They are a relatively high volume site.
We have been having some trouble with outages, which I suspect to be due to load (and possibly malicious at that) issues.
The server locks up or grinds to a halt, there are far more httpd processes running than normal yet the usage stats suggest that there aren’t many live users.
My personal suspicion given the symptoms is a targeted DDoS attack using some sort of SYN flood to open too many connections which have a dead end.
Is there anyone out there that would be interested in helping us get to the bottom of this?
It’s beyond our skill set with general server / apache installation and maintenance.
Thanks
Lee
_______________________________________________
Wylug-discuss mailing list
Wylug-discuss at wylug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/wylug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wylug-discuss/attachments/20121106/145921c8/attachment-0001.html>
More information about the Wylug-discuss
mailing list