abusedreality

Well-Known Member
Apr 15, 2003
53
0
156
Hello,

Every time I start apache it is instantly spawing from 1 process upto 152 in under 10 seconds, Below I have pasted an example of what I mean. I would like to note this is a new server and has 14 accounts MAXIMUM none of which use cpu, Most of them are blank pages so this is not good.

[email protected] [/scripts]# service httpd startssl
/etc/init.d/httpd startssl: httpd started
[email protected] [/scripts]# ps -aux | grep -c http
10
[email protected] [/scripts]# ps -aux | grep -c http
14
[email protected] [/scripts]# ps -aux | grep -c http
22
[email protected] [/scripts]# ps -aux | grep -c http
38
[email protected] [/scripts]# ps -aux | grep -c http
70
[email protected] [/scripts]# ps -aux | grep -c http
102
[email protected] [/scripts]# ps -aux | grep -c http
102
[email protected] [/scripts]# ps -aux | grep -c http
104
[email protected] [/scripts]# ps -aux | grep -c http
108
[email protected] [/scripts]# ps -aux | grep -c http
116
[email protected] [/scripts]# ps -aux | grep -c http
132
[email protected]saturn [/scripts]# ps -aux | grep -c http
152
[email protected] [/scripts]# ps -aux | grep -c http
152
[email protected] [/scripts]# ps -aux | grep -c http
152
[email protected] [/scripts]#
Opinions anyone?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
You're most likely under a DOS attack.

You could try installing mod_dosevasive, or you could do the following:

1. Install an iptables firewall such as APF (if you're on Linux).

2. Temporarily block port 80 and watch your log file /var/log/messages for the IP address that's causing the problems. Unblock port 80 and stick that IP address permanently in the firewall.

There are many other ways of doing this, but it should help you identify the culprit, if it is a DOS.
 

abusedreality

Well-Known Member
Apr 15, 2003
53
0
156
Well, Its been going since yesterday.

1. Install an iptables firewall such as APF (if you're on Linux).
Yep, Already installed

You could try installing mod_dosevasive, or you could do the following:
<IfModule mod_dosevasive.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSSystemCommand "/usr/local/sbin/apf -d %s"
</IfModule>

Will give the other option a try, However shouldn't it affect the cpu load of the server if its a ddos attack, as at the moment cpu is

[email protected] [/scripts]# uptime
15:03:55 up 5:58, 1 user, load average: 0.00, 0.00, 0.00
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Not necessarily. If Apache is being swamped with connections it simply stops serving pages. Are you still able to browse to your sites on the server when this is happening?