The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Being or not Being DDoS'ed?

Discussion in 'General Discussion' started by josesan311, Apr 9, 2009.

  1. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I have a cPanel server which acts a webserver, we have high traffic on few sites, WP sites, but since the last few days my webserver has been acting very weird making the server to be very overloaded and unaccessible.
    My partner told me we may been under a DDoS attack as a netstat command is showing a lot of TIME_WAIT connections,

    [root@server ~]# netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq -c
    26 CLOSE_WAIT
    5 CLOSING
    101 ESTABLISHED
    38 FIN_WAIT1
    68 FIN_WAIT2
    52 LAST_ACK
    1 LISTEN
    29 SYN_RECV
    2256 TIME_WAIT

    If I type a 'ps aux' command i get tons and tons of httpd proccesses.
    I have KeepAlive On and KeepAliveTimeout to 4. I have apf with DoS prevention and mod_Evasive.
    I have tried several posts here but with no luck. If the TIME_WAIT decreases the server start responding properly.

    I dont know what to do and I need to get my sites back online.
    Does anyone know how to handle this TIME_WAIT issue thing?


    Thank you in advance.
     
  2. Quantum|Steven

    Joined:
    Oct 21, 2008
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Install iftop to the system to get a feel for the amount of data going in and out of the system.

    Try installing mod_evasive as well for Apache, that may help. If its truly just HTTP flooding, install CSF and that should cure most of your problems with mod_evasive. If your still having problems you can email me off the email form in my profile or pm me and I can help you out with mitigating an http flood.
     
  3. josesan311

    josesan311 Active Member

    Joined:
    Oct 29, 2007
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    As I said on my first post, we are already using mod_evasive and its not helping at all.
    We also have APF with DoS prevention as well, still no help.
    Is there any way to kill all those TIME_WAIT connections? They seem to be stalled.

    Any other suggestion will be highly appreciated.

    Thank you guys.
     
Loading...

Share This Page