server being attack

jack

Verified User
Joined
Jul 28, 2005
Messages
56
websites on this server are very slow now, apache server-status shows lots reading, no idea where they are from, ip is not showing,
0-0 8920 0/26/26 R 0.34 7 7 0.0 0.28 0.28 ? ? ..reading..
1-0 8921 0/35/35 R 0.34 8 23 0.0 0.10 0.10 ? ? ..reading..
2-0 8922 0/28/28 R 0.27 10 9 0.0 3.07 3.07 ? ? ..reading..
3-0 8923 0/32/32 R 0.45 19 7 0.0 0.12 0.12 ? ? ..reading..
5-0 8925 0/46/46 R 0.45 15 3365 0.0 1.02 1.02 ? ? ..reading..
6-0 8926 0/27/27 R 0.23 5 8 0.0 0.13 0.13 ? ? ..reading..
7-0 8927 0/41/41 R 0.47 14 7 0.0 0.12 0.12 ? ? ..reading..
8-0 8928 0/38/38 R 0.36 8 6 0.0 0.43 0.43 ? ? ..reading..
9-0 8929 0/34/34 R 0.36 12 7 0.0 1.02 1.02 ? ? ..reading..
10-0 8930 0/48/48 R 0.51 12 91 0.0 0.27 0.27 ? ? ..reading..
11-0 8931 0/23/23 R 0.26 15 7 0.0 0.06 0.06 ? ? ..reading..
12-0 8932 0/32/32 R 0.32 15 19 0.0 0.23 0.23 ? ? ..reading..
13-0 8933 0/26/26 R 0.23 8 22 0.0 0.29 0.29 ? ? ..reading..
14-0 8934 0/38/38 R 0.38 7 7 0.0 0.22 0.22 ? ? ..reading..
15-0 8935 0/32/32 R 0.31 16 7 0.0 0.16 0.16 ? ? ..reading..
16-0 8936 0/29/29 R 0.64 13 57 0.0 0.72 0.72 ? ? ..reading..
17-0 8937 0/33/33 R 0.32 0 39 0.0 0.39 0.39 ? ? ..reading..
18-0 8938 0/35/35 R 0.38 8 7 0.0 0.12 0.12 ? ? ..reading..
19-0 8939 0/34/34 R 0.27 5 6 0.0 0.12 0.12 ? ? ..reading..
20-0 8940 0/40/40 R 0.41 8 6 0.0 0.51 0.51 ? ? ..reading..
21-0 8941 0/32/32 R 0.44 12 11051 0.0 0.31 0.31 ? ? ..reading..
22-0 8942 0/39/39 R 0.97 10 26 0.0 0.09 0.09 ? ? ..reading..
...................


it's like more then 700 of these readings. the bandwidth usage is low, server load is low, but lots httpd processes. I have apf, mod_evasive, mod_limitipconn installed and activated, doesn't seem to blocking the attacks. please help!
 
yes, had restarted many times.
i found the attacking ips and blocked them with apf manually, don't know why apf and mod_evasive doesn't block them, seems ok now.

the attacker creates lots FIN_WAIT2 makes lots httpd process, ex:

218.13.58.214:1028 FIN_WAIT2
218.13.58.214:1029 FIN_WAIT2
218.13.58.214:1030 FIN_WAIT2
218.13.58.214:1031 FIN_WAIT2
218.13.58.214:1032 FIN_WAIT2
218.13.58.214:1033 FIN_WAIT2
218.13.58.214:1034 FIN_WAIT2
218.13.58.214:1035 FIN_WAIT2
218.13.58.214:1036 FIN_WAIT2
218.13.58.214:1037 FIN_WAIT2
218.13.58.214:1039 FIN_WAIT2
218.13.58.214:1040 FIN_WAIT2
218.13.58.214:1041 FIN_WAIT2
218.13.58.214:1042 FIN_WAIT2
 
how do I configure apf to automatically block those ips which has lots FIN_WAIT2 connection? It doesn't work for me.:(
 
run this in shell

netstat -na | grep your.site-ip.here | awk '{print $5}' | cut -d. -f1-4 | cut -d: -f1 | sort -n | uniq -c | sort -n

if you get a single IP who has connections 100-150+ than ban that/those IP's in your firewall or iptables.

connections of 50-60, are resonably normal. just people browsing the site, loading all the images, etc.
 
Thanks for responding.

I'm using a script to block these attacker ips now.
But I wonder is there a way to lower the timeout value of FIN_WAIT2?
 
Back
Top