Is this an attack ? very rare at netstat.. please suggestions

**sh4ka** · 04-18-2006 03:11 PM

Look at this ??
Is this an attack or what ? how can i have 300 connections form the primary server IP ??? and how can I stop that ?? i've never seen something like this...

## Just pasted the last lines from the output of the next command:
netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -n

4 201.226.99.61
4 201.228.28.110
4 71.122.139.171
4 87.217.24.5
5 200.72.163.226
5 83.32.103.200
17 200.121.185.120
104 168.243.249.17
301 [PRIMARY_SERVER_IP] ----------------> THIS LINE

**jackie46** · 04-18-2006 03:50 PM

Umm we see it all the time and there isnt much you can do apart from banning the ip.

**jamesbond** · 04-18-2006 03:54 PM

You ban your primary server ip?

**nickp666** · 04-18-2006 03:58 PM

Originally Posted by sh4ka

Look at this ??
Is this an attack or what ? how can i have 300 connections form the primary server IP ??? and how can I stop that ?? i've never seen something like this...

## Just pasted the last lines from the output of the next command:
netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -n

4 201.226.99.61
4 201.228.28.110
4 71.122.139.171
4 87.217.24.5
5 200.72.163.226
5 83.32.103.200
17 200.121.185.120
104 168.243.249.17
301 [PRIMARY_SERVER_IP] ----------------> THIS LINE

are any of the hosted sites using php url_fopen() with a url set to the same server?

**sh4ka** · 04-18-2006 04:36 PM

Do you mean BANNING MY PRIMARY SERVER IP ?? that will cause some errors in the server i think, or i'm i wrong ?? and i will not be able to access to the server.. otherwise I ban only MY PRIMARY SERVER IP to the 80 PORT, and how can I do that using APF ??

also, now after talking with datacenter techs one of them told me it may be some syn flood, to put a firewall and try to put off the keepalives in httpd.conf.... and already did keepalives, already have APF well configured, with anti-dos working, have eth0's suggestions about sysctl hardening...

Load average is better after this changes, but running the netstat command i got 482 connections from the PRIMARY SERVER IP

**jamesbond** · 04-18-2006 04:45 PM

Originally Posted by sh4ka

Do you mean BANNING MY PRIMARY SERVER IP ??

I was asking jackie46 that question

It doesn't seem like a good idea to me.

**sh4ka** · 04-18-2006 05:14 PM

I agree with that.. doesn't sound good to me..
anway, doing a "netstat" i got LOT OF TIME_WAIT connections like this:

tcp 0 0 server.myserver:http 200.122.153.38:27397 TIME_WAIT
tcp 0 0 server.myserver:http cm96171.red83-165.mund:2897 TIME_WAIT
tcp 0 0 server.myserver:http 179.red-82-158-84.user:4422 TIME_WAIT
tcp 0 0 server.myserver:http server.myserver:38928 TIME_WAIT
tcp 0 0 server.myserver:http 202.Red-217-126-253.s:53110 TIME_WAIT
tcp 0 0 server.myserver:http server.myserver:38929 TIME_WAIT

that may be the problem.. i don't see a solution for this

LinkBack

Thread Tools

Is this an attack ? very rare at netstat.. please suggestions

Rare problem with one email account

Apache DOS Attack using my server IP ?? very rare, look at this

Rare logwatch log.. ¿?

rare files at /tmp

Why is netstat using so much cpu? Top Process %CPU 61.0 netstat -npl