OK, network gurus out there. I ran a netstat -p command on a client's server after noticing a high load (which has since gone down). There were a bunch of open TCP/IP connections to a specific IP addrress. I got a bunch of normal stuff, but also got a ton of these:
There was about 110 lines of that. Can somebody tell me how to read this: Is my server connecting to port 80 on that server or is that server trying to connect to mine a thousand times on different ports? Just need to know if I should be emailing their abuse folks or if I should be looking to something on my server?
I guess what worries me is that they are udev processes and not like an apache process or something.
Ideas?
-jake
Edit: OK, just got an email back from the folks who own the IP range of the other server, and apparently that server is a CentOS distro mirror (ftp://69.41.160.250/centos). My server shouldn't be actively updating itself right now (it is a CentOS 5 server so it makes sense) and especially with that many open connections. Would explain the udevd, however.
Any easy way to kill off the close_wait connections and find out why the system is making that many connections to the same server?
Code:
tcp 1 0 myserver.blahblah.net:39782 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39780 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39781 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39778 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39779 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39776 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39777 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39798 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39797 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39794 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39795 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39807 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39804 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39805 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39802 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39803 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39800 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39801 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39774 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39775 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39772 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39773 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39771 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39810 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39808 someother.random.net:http CLOSE_WAIT 31946/udevd
tcp 1 0 myserver.blahblah.net:39809 someother.random.net:http CLOSE_WAIT 31946/udevd
[I]snip[/I]I guess what worries me is that they are udev processes and not like an apache process or something.
Ideas?
-jake
Edit: OK, just got an email back from the folks who own the IP range of the other server, and apparently that server is a CentOS distro mirror (ftp://69.41.160.250/centos). My server shouldn't be actively updating itself right now (it is a CentOS 5 server so it makes sense) and especially with that many open connections. Would explain the udevd, however.
Any easy way to kill off the close_wait connections and find out why the system is making that many connections to the same server?
Last edited:
