JustAName

Registered
Jan 9, 2013
1
0
1
cPanel Access Level
Root Administrator
I have a DDoS problem in the last days.
It's not a HTTP flood because Apache acting as normal, no additional connection as in a usual situation.
Server's CPU and MEM are OK, nothing high.
The only problem is 100% network usage.
I ran iftop and saw some unknown IP's connecting to my server through random ports. I have CSF Installed and NON of these ports are allowed, IN or OUT, TCP or UDP. I tried to manually block these IP's and nothing. CSF didn't block them. I am a total beginner to this world, and would like an explanation which kind of attack is it.
I have added a screenshot to explain my problem.

ddos.jpg

Thank you.
 
Last edited:

srpurdy

Well-Known Member
Jun 1, 2011
101
0
66
cPanel Access Level
Root Administrator
I have a DDoS problem in the last days.
It's not a HTTP flood because Apache acting as normal, no additional connection as in a usual situation.
Server's CPU and MEM are OK, nothing high.
The only problem is 100% network usage.
I ran iftop and saw some unknown IP's connecting to my server through random ports. I have CSF Installed and NON of these ports are allowed, IN or OUT, TCP or UDP. I tried to manually block these IP's and nothing. CSF didn't block them. I am a total beginner to this world, and would like an explanation which kind of attack is it.
I have added a screenshot to explain my problem.

View attachment 13732

Thank you.
This is actually normal. those ports are ports assigned by apache. or the TCP/IP Protocol. Basically apache listens on port 80, but if only port 80 was usable then only 1 person could connect. So they're is a "sub" port that each user that connects is assigned base on what ports are available. This is so the correct data goes to the correct place.

As for your network issues. It's hard to say what is causing that, but it could be your out of bandwidth. You might want to ask your data center about this. (but I'm not expert enough in network issues to give you good advice so I'll let someone else hopefully help you)
 

SB-Nick

Well-Known Member
Aug 26, 2008
175
9
68
cPanel Access Level
Root Administrator
I doubt its a DDoS issue if the CPU usage and Apache are behaving correctly.
Try looking at the process table and see if there arent any weird perl/php script running on background, although if you said TCP/UDP OUT ports are restricted on your firewall I doubt this is the cause.

Try installing cacti so you can get a decent graph with better values and so you could determine whats going on with your IN or OUT traffic. A more native method would be to tcpdump the NIC and inspect the packets.