Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Apache displaying massive Reading request, making the webpage down. attack going on??

Discussion in 'EasyApache' started by netbody, Aug 29, 2011.

  1. netbody

    netbody Member

    Jun 7, 2011
    Likes Received:
    Trophy Points:
    my ded. server is busy these days, webpage opening very slow, sometimes can not open at all, but ping speed has not changed, online visitors about the same, 100-200 online.
    From WHM, i can see a lot "?" Reading request, maybe this is the reason making the busy server, I don't know what is it and how do I terminate it??

    attached a screen cap. , thanks for your help

    Attached Files:

  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Oct 2, 2010
    Likes Received:
    Trophy Points:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. tecnotronico

    tecnotronico Active Member

    Apr 17, 2004
    Likes Received:
    Trophy Points:
    Re: Apache displaying massive Reading request, making the webpage down. att


    Recently we got a DoS attack to one of our servers and it just keeping overloading Apache through tons of Reading processes but it didn’t indicate the domain attacked or the IP causing the attack.

    We fixed the situation applying the following procedure:

    First of all we started suspending several accounts through WHM (the accounts with more traffic) and analyzing the error_log file with:

    tail -f /etc/httpd/logs/error_log

    The idea was to detect repetitive abnormal errors. In parallel, We had to stop and start apache several times and cleaning any process related to apache during our analysis since the DoS attack was happening at the same time.

    We did that with:
    service httpd stop
    fuser -k 80/tcp
    service httpd start

    After suspend several accounts we detected an abnormal repetitive error showing:

    [error] [client XXX.XXX.XXX.XXX] request failed: error reading the headers

    We proceed to block such IP using CSF/BFD and the attack was totally stopped. Then we unsuspended the accounts and all came back to the normal behavior.

    Finally, please note that there are several ways to detect the IP attacking the server. They are:

    To see what IPs are being connected to the server and how many connections are for each IP:

    netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

    To see how many connections are being received by each server IP:

    netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | sort | uniq -c | sort -n

    To see the total amount of active apache connections:

    netstat -apn | grep :80 | wc -l

    To get the total update on the apache status to see what domain is receiving the bigger amount of hits:

    lynx Apache Status

    Other helpful command:

    /usr/sbin/httpd fullstatus

    We hope it could help if you are having an attack. God Luck …

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice