Is this a denial of service or something else?

**Epademic** · 02-25-2007 11:11 AM

For the past week or so, 2 or 3 times a day, the server load shoots up from an average of 0.5 to 200+ and number of processes goes from around 100 to 300+ in the space of a couple of minutes. I get an alert from PRM saying “The process (xxxx) has exceeded defined resource limits”

- Event Summary:
USER: nobody
PID : 3247
CMD : /usr/local/apache/bin/httpd
CPU%: 0 (limit: 65)
MEM%: 0 (limit: 25)
PROCS: 199 (limit: 150)

A netstat -apn | egrep ":80 .*CLOSE_WAIT" reveals 100+ lines similar to

tcp 199 0 xx.xx.xx.xxx:80 74.6.75.33:59492 CLOSE_WAIT -
tcp 734 0 xx.xx.xx.xxx:80 211.113.214.116:3038 CLOSE_WAIT -
tcp 796 0 xx.xx.xx.xxx:80 125.54.128.194:39571 CLOSE_WAIT -
tcp 205 0 xx.xx.xx.xxx:80 60.191.80.46:56283 CLOSE_WAIT -
tcp 274 0 xx.xx.xx.xxx:80 65.54.165.63:57265 CLOSE_WAIT -
tcp 36 0 127.0.0.1:80 127.0.0.1:50714 CLOSE_WAIT -
tcp 848 0 xx.xx.xx.xxx:80 202.1.53.79:57711 CLOSE_WAIT -
tcp 0 0 xx.xx.xx.xxx:80 203.70.69.163:45128 CLOSE_WAIT 7123/httpd
tcp 724 0 xx.xx.xx.xxx:80 218.98.195.19:13727 CLOSE_WAIT -
tcp 317 0 xx.xx.xx.xxx:80 66.249.66.136:36832 CLOSE_WAIT -
tcp 716 0 xx.xx.xx.xxx:80 202.93.36.60:28005 CLOSE_WAIT -
tcp 90 0 xx.xx.xx.xxx:80 67.19.0.108:3162 CLOSE_WAIT -
tcp 90 0 xx.xx.xx.xxx:80 67.19.0.108:4678 CLOSE_WAIT -
tcp 36 0 127.0.0.1:80 127.0.0.1:50745 CLOSE_WAIT -
tcp 167 0 xx.xx.xx.xxx:80 65.55.209.191:19859 CLOSE_WAIT -
tcp 787 0 xx.xx.xx.xxx:80 58.138.59.209:33960 CLOSE_WAIT -
tcp 769 0 xx.xx.xx.xxx:80 81.18.162.54:36300 CLOSE_WAIT -
tcp 0 0 xx.xx.xx.xxx:80 201.6.106.84:3957 CLOSE_WAIT 7100/httpd
tcp 199 0 xx.xx.xx.xxx:80 74.6.75.33:46115 CLOSE_WAIT -
tcp 90 0 xx.xx.xx.xxx:80 67.19.0.108:4900 CLOSE_WAIT -

Also I get a load average alert from lfd which is attached below.

Most of the time PRM restarts apache and everything goes back to normal. However on some occasions I have to reboot to regain control. But as soon as apache is restarted or the server is rebooted everything returns to normal.

Is this a Denial of Service or something else? Before last week the server had been trouble free for 120+ days.

Any tips or suggestions are greatly appreciated.

Server Details:

RedHat Enterprise 3
Apache 1.3.37
PHP 4.4.4
cPanel 10.9.0-R139

Secured by ConfigServer and running CSF

Many thanks,

James

**felosi** · 06-19-2007 07:44 AM

doesnt look like enough connections for ddos. maybe someone has a runaway script or something. But that many ips there shouldnt hurt apache. make sure you have connection tracking on anyway in csf, set to about 90 connections normally and during an atatck you can set it pretty low down to 20 or less.

LinkBack

Thread Tools

Is this a denial of service or something else?

Access denial For my Database Connection.

Domain Service Godaddy And WHM Hosting Service Cpanel

Denial of Service attack

Service Monitor Alerts even when service running

Cpanel - General Service Info- Service Status- FAILED