The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is this a denial of service or something else?

Discussion in 'General Discussion' started by Epademic, Feb 25, 2007.

  1. Epademic

    Epademic Active Member

    Joined:
    Nov 21, 2003
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    For the past week or so, 2 or 3 times a day, the server load shoots up from an average of 0.5 to 200+ and number of processes goes from around 100 to 300+ in the space of a couple of minutes. I get an alert from PRM saying “The process (xxxx) has exceeded defined resource limits”

    - Event Summary:
    USER: nobody
    PID : 3247
    CMD : /usr/local/apache/bin/httpd
    CPU%: 0 (limit: 65)
    MEM%: 0 (limit: 25)
    PROCS: 199 (limit: 150)


    A netstat -apn | egrep ":80 .*CLOSE_WAIT" reveals 100+ lines similar to

    tcp 199 0 xx.xx.xx.xxx:80 74.6.75.33:59492 CLOSE_WAIT -
    tcp 734 0 xx.xx.xx.xxx:80 211.113.214.116:3038 CLOSE_WAIT -
    tcp 796 0 xx.xx.xx.xxx:80 125.54.128.194:39571 CLOSE_WAIT -
    tcp 205 0 xx.xx.xx.xxx:80 60.191.80.46:56283 CLOSE_WAIT -
    tcp 274 0 xx.xx.xx.xxx:80 65.54.165.63:57265 CLOSE_WAIT -
    tcp 36 0 127.0.0.1:80 127.0.0.1:50714 CLOSE_WAIT -
    tcp 848 0 xx.xx.xx.xxx:80 202.1.53.79:57711 CLOSE_WAIT -
    tcp 0 0 xx.xx.xx.xxx:80 203.70.69.163:45128 CLOSE_WAIT 7123/httpd
    tcp 724 0 xx.xx.xx.xxx:80 218.98.195.19:13727 CLOSE_WAIT -
    tcp 317 0 xx.xx.xx.xxx:80 66.249.66.136:36832 CLOSE_WAIT -
    tcp 716 0 xx.xx.xx.xxx:80 202.93.36.60:28005 CLOSE_WAIT -
    tcp 90 0 xx.xx.xx.xxx:80 67.19.0.108:3162 CLOSE_WAIT -
    tcp 90 0 xx.xx.xx.xxx:80 67.19.0.108:4678 CLOSE_WAIT -
    tcp 36 0 127.0.0.1:80 127.0.0.1:50745 CLOSE_WAIT -
    tcp 167 0 xx.xx.xx.xxx:80 65.55.209.191:19859 CLOSE_WAIT -
    tcp 787 0 xx.xx.xx.xxx:80 58.138.59.209:33960 CLOSE_WAIT -
    tcp 769 0 xx.xx.xx.xxx:80 81.18.162.54:36300 CLOSE_WAIT -
    tcp 0 0 xx.xx.xx.xxx:80 201.6.106.84:3957 CLOSE_WAIT 7100/httpd
    tcp 199 0 xx.xx.xx.xxx:80 74.6.75.33:46115 CLOSE_WAIT -
    tcp 90 0 xx.xx.xx.xxx:80 67.19.0.108:4900 CLOSE_WAIT -

    Also I get a load average alert from lfd which is attached below.

    Most of the time PRM restarts apache and everything goes back to normal. However on some occasions I have to reboot to regain control. But as soon as apache is restarted or the server is rebooted everything returns to normal.

    Is this a Denial of Service or something else? Before last week the server had been trouble free for 120+ days.

    Any tips or suggestions are greatly appreciated.

    Server Details:

    RedHat Enterprise 3
    Apache 1.3.37
    PHP 4.4.4
    cPanel 10.9.0-R139

    Secured by ConfigServer and running CSF

    Many thanks,

    James
     

    Attached Files:

  2. felosi

    felosi Active Member

    Joined:
    Aug 27, 2006
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    doesnt look like enough connections for ddos. maybe someone has a runaway script or something. But that many ips there shouldnt hurt apache. make sure you have connection tracking on anyway in csf, set to about 90 connections normally and during an atatck you can set it pretty low down to 20 or less.
     
Loading...

Share This Page