Being or not Being DDoS'ed?

[josesan311]

Hello,

I have a cPanel server which acts a webserver, we have high traffic on few sites, WP sites, but since the last few days my webserver has been acting very weird making the server to be very overloaded and unaccessible.
My partner told me we may been under a DDoS attack as a netstat command is showing a lot of TIME_WAIT connections,

[root@server ~]# netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c
26 CLOSE_WAIT
5 CLOSING
101 ESTABLISHED
38 FIN_WAIT1
68 FIN_WAIT2
52 LAST_ACK
1 LISTEN
29 SYN_RECV
2256 TIME_WAIT

If I type a 'ps aux' command i get tons and tons of httpd proccesses.
I have KeepAlive On and KeepAliveTimeout to 4. I have apf with DoS prevention and mod_Evasive.
I have tried several posts here but with no luck. If the TIME_WAIT decreases the server start responding properly.

I dont know what to do and I need to get my sites back online.
Does anyone know how to handle this TIME_WAIT issue thing?


Thank you in advance.

[Quantum|Steven]

Install iftop to the system to get a feel for the amount of data going in and out of the system.

Try installing mod_evasive as well for Apache, that may help. If its truly just HTTP flooding, install CSF and that should cure most of your problems with mod_evasive. If your still having problems you can email me off the email form in my profile or pm me and I can help you out with mitigating an http flood.

[josesan311]

Hello,

As I said on my first post, we are already using mod_evasive and its not helping at all.
We also have APF with DoS prevention as well, still no help.
Is there any way to kill all those TIME_WAIT connections? They seem to be stalled.

Any other suggestion will be highly appreciated.

Thank you guys.