Server load high as i got many apache : /usr/local/apache/bin/httpd -k star

[ASTRAPI]

Hello

I got many /usr/local/apache/bin/httpd -k start -DSSL and the server load is going high up to 80

Any ideas how can i find what is giving so many /usr/local/apache/bin/httpd -k start -DSSL?

I am using nginx plugin in front of Apache.

When i stop apache the server load is 1.

What is the latest version of Apache that easy apache installs?

It seems that someone maybe use a denial of service exploit and i hope to get a new update soon so i can install it using easy apache.

Thank you

 

[cPanelTristan]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

You can try following the steps in this post to see if you are having a DoS attack or not:

http://forums.cpanel.net/f5/how-restart-apache-trough-cpanel-command-line-187252.html#post766101

 

[ASTRAPI]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

Dedicated server with 24gb ram and 2x quad xeon wit only a forum inside.

netstat -an | grep :80|wc -l
1700

netstat -an | grep :80 | grep -i syn | wc -l
130

netstat -an|grep :80|grep SYN|awk {'print $5'}|cut -d: -f 1|sort|uniq -c
only one ip with 90 connections the rest are 2-3

I am using deflate already and set it to 300 connections.

Max clients are already high and not any messages related on error log.

 

[cPanelTristan]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

300 connections allowed per IP is a very high number of connections to allow per IP. Why do you have it set to allow 300 simultaneous connections per IP with ddos-deflate? A more reasonable value would be 30-50 at the most.

You might also get an idea of the site if you can run WHM > Apache Status and get details on what site is being hit the most for connections. If that doesn't work, try running it in command line:

httpd fullstatus

 

[ASTRAPI]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

I set it on 300 because i am using DSO and prefork and i have many images on my forum index ...

Is it wrong thought?

I can see some connections spikes from a user like 20 50 150 and then back to 20 and is ok that's why ...

 

[cPanelTristan]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

Did you check to see if it is a slowloris attack that is also discussed in the forum post I linked to? There's a command you can add to iptables to bump off slowloris type of attacks that is in that thread.

If what is already being mentioned isn't sufficient to stem what is happening, you'll need to talk to your datacenter, NOC or provider to have them filter it at the network level. They benefit from getting any possible attack filtered as much as you do, since it could impact traffic on their network for other machines as well.

 

[ASTRAPI]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

/sbin/iptables -I INPUT -p tcp -m state --state NEW --dport 80 -m recent --update --seconds 15 --hitcount 10 -j DROP

Can you please give more info about the seconds 15 as i don't want to get any delay on requests....

Is there a way to add this command using csf firewall?

I am using already there:

SYNFLOOD

SYNFLOOD = “1?

SYNFLOOD_RATE = “30/s”

SYNFLOOD_BURST = “10?

 

[cPanelTristan]

Re: Server load high as i got many apache : /usr/local/apache/bin/httpd -k

It means if you have any connections open for 15 seconds that are at 10 connections for the same IP for each connection that it will be dropped. There's little reason for anyone to be hitting the machine for 15+ seconds with 10 simultaneous connections.

You have a choice here. You can either stem the attack and take the chance some users are impacted but not most or you can not stem the attack and have the machine latent for everyone. Otherwise, you can go ahead and get ahold of your datacenter, NOC or provider as already suggested.