ddos attack?

**Zion Ahead** · 10-02-2007 07:05 PM

I have an issue here. httpd is slagging big time and my max clients is 300.

I see this when running netstat

Code:

root@server5 [~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 websitesforafrica.com:http  190.42.243.192:1916         SYN_RECV    
tcp        0      0 websitesforafrica.com:http  200.121.167.193:11641       SYN_RECV    
tcp        0      0 websitesforafrica.com:http  client-201.230.113.17:14327 SYN_RECV    
tcp        0      0 websitesforafrica.com:http  190.42.84.253:3244          SYN_RECV    
tcp        0      0 websitesforafrica.com:http  201.230.98.64:15059         SYN_RECV    
tcp        0      0 websitesforafrica.com:http  166.114.122.41:62881        SYN_RECV    
tcp        0      0 websitesforafrica.com:http  190.42.151.252:17097        SYN_RECV    
tcp        0      0 websitesforafrica.com:http  190.41.24.108:3421          SYN_RECV    
tcp        0      0 websitesforafrica.com:http  190.43.1.42:1392            SYN_RECV    
tcp        0      0 websitesforafrica.com:http  201.230.79.5:60836          SYN_RECV    
tcp        0      0 websitesforafrica.com:http  client-200.121.153.56:27208 SYN_RECV

Code:

root@server5 [~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
     48 190.42.66.138
     39 190.154.6.203
     28 190.40.51.130
     23 200.121.81.76
     14 207.67.35.142
     13 201.230.224.200
     13 
     11 201.240.178.114
     11 190.77.9.81
     10 201.230.113.175
     10 200.58.160.148
     10 190.41.5.161
      9 201.230.254.69
      9 201.230.135.146
      9 190.43.187.139
      8 200.60.248.119
      7 72.14.195.205
      7 190.42.48.224
      6 200.121.7.31
      6 200.121.223.55
      6 200.121.141.48
      6 200.121.141.186
      6 200.106.37.206
      6 190.42.51.165
      6 190.41.64.13
      5 201.250.55.166
      5 201.240.42.233
      5 201.240.3.61
      5 201.240.113.73
      5 201.240.0.94
      5 201.208.123.190
      5 200.87.203.94
      5 200.121.171.61
      5 200.121.136.238
      5 200.106.47.236
      5 190.42.71.207
      5 190.42.221.73
      5 190.42.194.20
      5 190.42.152.250
      5 190.41.32.40
      4 201.240.48.131
      4 201.240.205.141
      4 201.240.196.217
      4 201.240.124.201
      4 201.240.124.131
      4 201.230.233.68
      4 201.230.195.165
      4 201.230.129.58
      4 201.222.87.163

How do I find out the cause of this? I have no idea who websitesforafrica.com is anyway

**Zion Ahead** · 10-02-2007 07:19 PM

root@server5 [~]# ps aux | grep -c httpd
502

I've done killall -9 httpd numerous times as well, skyrockets again with loads of httpd processes after

root@server5 [~]# netstat -ntp | grep :80 -c
1110

**serversphere** · 10-02-2007 08:44 PM

Sure looks like it could be a ddos. What are they hitting on that site? A single page? Have mod_evasive installed?

LinkBack

Thread Tools

ddos attack?

Is this DDOS attack?

DDoS attack

Is This A DDos Attack?

is this a DDOS attack??

DDOS Attack