Is this an attack ? very rare at netstat.. please suggestions

[sh4ka]

Look at this ??
Is this an attack or what ? how can i have 300 connections form the primary server IP ??? and how can I stop that ?? i've never seen something like this...

## Just pasted the last lines from the output of the next command:
netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -n

4 201.226.99.61
4 201.228.28.110
4 71.122.139.171
4 87.217.24.5
5 200.72.163.226
5 83.32.103.200
17 200.121.185.120
104 168.243.249.17
301 [PRIMARY_SERVER_IP] ----------------> THIS LINE

 

[jackie46]

Umm we see it all the time and there isnt much you can do apart from banning the ip.

 

[jamesbond]

You ban your primary server ip?

 

[nickp666]

Look at this ??
Is this an attack or what ? how can i have 300 connections form the primary server IP ??? and how can I stop that ?? i've never seen something like this...

## Just pasted the last lines from the output of the next command:
netstat -an | grep :80 | awk '{ print $5 }' | awk -F: '{ print $1 }' | sort | uniq -c | sort -n

4 201.226.99.61
4 201.228.28.110
4 71.122.139.171
4 87.217.24.5
5 200.72.163.226
5 83.32.103.200
17 200.121.185.120
104 168.243.249.17
301 [PRIMARY_SERVER_IP] ----------------> THIS LINE

are any of the hosted sites using php url_fopen() with a url set to the same server?

 

[sh4ka]

Do you mean BANNING MY PRIMARY SERVER IP ?? that will cause some errors in the server i think, or i'm i wrong ?? and i will not be able to access to the server.. otherwise I ban only MY PRIMARY SERVER IP to the 80 PORT, and how can I do that using APF ??

also, now after talking with datacenter techs one of them told me it may be some syn flood, to put a firewall and try to put off the keepalives in httpd.conf.... and already did keepalives, already have APF well configured, with anti-dos working, have eth0's suggestions about sysctl hardening...

Load average is better after this changes, but running the netstat command i got 482 connections from the PRIMARY SERVER IP

 

[jamesbond]

Do you mean BANNING MY PRIMARY SERVER IP ??

I was asking jackie46 that question It doesn't seem like a good idea to me.

 

[sh4ka]

I agree with that.. doesn't sound good to me..
anway, doing a "netstat" i got LOT OF TIME_WAIT connections like this:

tcp 0 0 server.myserver:http 200.122.153.38:27397 TIME_WAIT
tcp 0 0 server.myserver:http cm96171.red83-165.mund:2897 TIME_WAIT
tcp 0 0 server.myserver:http 179.red-82-158-84.user:4422 TIME_WAIT
tcp 0 0 server.myserver:http server.myserver:38928 TIME_WAIT
tcp 0 0 server.myserver:http 202.Red-217-126-253.s:53110 TIME_WAIT
tcp 0 0 server.myserver:http server.myserver:38929 TIME_WAIT

that may be the problem.. i don't see a solution for this