Slow Server - DoS Attack
Nov 17, 2007
My server (Xeon 3.0Ghz) went down for no reason yesterday and ever since it was rebooted (and I've rebooted a couple of times since then), pages load extremely slowly or just timeout. Server load is constantly hovering around 1 and top stats indicate that the server's resources are not under heavy load, which is contrary to the usual pattern during peak times.
I've checked netstat and I notice a lot of SYN_RECV. Could this be a DoS attack? If so, what steps do I take to stop it?
View 1 Replies
ADVERTISEMENT
Nov 11, 2008
I've got 25 domains on a Virtuozzo/Plesk8.6/CentOS5 VPS. Each domain has one up-to-date install of WordPress, most have very little traffic (average 200mb per month), maybe 2 domains get 5-7gb traffic per month.
I monitor port 80 connections and rarely see more than 10 at a time.
That should in my opinion be no problem at all for a VPS with 768mb guaranteed ram and 2.4ghz cpu. I've got 30gb hard drive spare too.
But.... about 8 or 10 times a day it grinds to a complete halt: server load at 500-1000%, sites timing out, plesk takes 3mins to load, often I can't even connect with SSH, and the plesk web server, apache
INSERT INTO module_watchdog_sys_stat (time, type, value, service_id) VALUES(FROM_UNIXTIME(1226404705), 'MAINMEM_USAGE', 17472, 11);
80 seconds sounds like a huge amount of time for a MySQL insert to me! Does anyone know if this is likely to be the cause of my trouble? Some problem with Plesk and the database? Or could it be something else?
View 3 Replies
View Related
Jul 2, 2009
My server is currently underattack, I have been able to keep it up but after I ban 500 IPs, I get a lot of different IPs again.
Any idea or suggestion to do mass-ban to those attacking IPs?
tcp 0 0 xxx.xx.xxx.xxx:80 190.87.128.59:3965 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 82.115.52.10:2323 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 90.148.137.56:21094 SYN_RECV
tcp 0 0 xxx.xx.xxx.xxx:80 189.237.35.155:57605 ...
View 14 Replies
View Related
Jul 4, 2006
Someone is trying to attack our server (I think so). When running apache status there are a LOT of connections from one network, all requesting the same page. But running: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n does show any of these IP's. So script blocking ddos attacks wont work. Anyone know what can I do about this?
View 14 Replies
View Related
Aug 22, 2007
I went today to my apache error log, and noticed that those scum lowlifes hackers trying to hack my server every day for at least 100 times!!!
What a disaster!
Examples of urls they trying to use:
- http://usuarios.arnet.com.ar/larry123/safe.txt?
- http://uploaded.justfree.com/id.txt?
- http://nukedclx.info/php/base
Is there anything that can be done to prevent this mor*** from even trying to hack (except putting a bullet in his/their head)?
View 14 Replies
View Related
Nov 7, 2009
two of my website on the server was changed by the hackers.How did they do it?
View 7 Replies
View Related
Nov 3, 2009
i got botnet attack my web server...is there anything i can do to block thse attack? my host isnt help much?
View 4 Replies
View Related
Oct 22, 2009
how to protect an linux dedicated server from bot attack. Im using linux server with cPanel, using CSF firewall + DOS Deflate.
View 5 Replies
View Related
May 17, 2009
How can check server for dos/ddos/syn attack?
Because my server load is high, perfromance is low, but i dont have any high process.
View 5 Replies
View Related
Feb 2, 2008
is this DDOs attack : .....
View 5 Replies
View Related
Jan 31, 2008
I think I'm experiencing some type of alternative to a DDoS attack. My server is being killed by thousands of emails being sent to fake accounts on my server.
I'm not a server administrator, so please bear with me.
My load average is skyrocking to 800.xx at times. I look at "top" and see "exim" for one specific user on my server. I own all the websites on my server, by the way.
When I look at my email queue, I see thousands of emails coming in to accounts that don't exist for that specific user. Let's say the domain name is salcollaziano.com. Somebody is sending spam to various salcollaziano.com aliases that don't exist. Like webmaster -at- salcollaziano.com and suzy -at- salcollaziano.com.
How can I prevent these spam emails from having any interaction with my server? It's causing me a lot of downtime on all the sites I have running on that particular server.
View 14 Replies
View Related
Nov 27, 2008
Not sure if it's a valid threat, but I would like to do the best I can to identify one as early as possible.
Can someone maybe give me an idea of what to look for? They were not specific on there type of attack, but I was hoping that there was maybe a log file I could tail and keep an eye out for irregularities.
View 10 Replies
View Related
Aug 8, 2007
my server got phisihing attack with bankamerica/paypal etc. i wounder because we have tight firewall/security etc. but any way this is teribel. i have found ip when look in to /var/log/messages -
its looks like (?@85.201.19.xxx). is it used anonymos ftp? i found same ip used to log in to another ftp host as well.
View 5 Replies
View Related
Jun 18, 2008
my server is being ddosed and the network utilisation is at 40% of 1gpbs
i asked to softlayer to check and they said my programs/services is taking that much bandwidth
any1 can help me?
if my server is under dos attack wat can i do?
because the bandwidth used is about 50gb/hr
View 10 Replies
View Related
Jul 7, 2009
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
View 9 Replies
View Related
Feb 16, 2008
I have been getting ddossed for the last month, my host has tried many things on my server that are commonly suggested around here, however we have over 40 000 connections hitting the server from this attack and it keeps rising.
I am on LiteSpeed.
I also have NetScreen 50 firewall which helped for a little while, however the server still keeps going down.
I am spending $420 a month on my hosting for my dedicated server
Now it is costing me an extra $400 a month to have Netscreen firewall running which is a waste of money as it can not effectively keep the server running and i'm not sure if I can even effectively afford that much money a month, however I might need to spend a little more if need to just get the server running finally.
basically I need some options as to what I can do. I would like to stay with my host, they have been good to me, however if my options are better suited to changing then let me know. I just really need to get my server running great asap and to keep it running great when i'm away from the internet.
View 7 Replies
View Related
Jun 25, 2008
today i have DDos Attack in my server in port :80
what is the better way to secure my server from DDos Attack
View 14 Replies
View Related
Feb 23, 2007
OS: Centos 4
Someone managed to get into my server and launched a DoS attack on someone else machine.
How do I find out the person who did this?
How do I find out how the person got in in the first place?
How do I make sure that it cannot happen again using the same method?
View 1 Replies
View Related
Jan 10, 2007
Today my system which is hosting the site bepenfriends got compramised(win 2k3) and now LT tech guys are working on it to reload the system with a data save. I was not having a hardware firewall which caused this problem. But i had windows firewall, windows malinious software removal tool (defender i haven't installed). I have updated all patches of win2k3 whch was released till today.
Now after restore it will be great work to bring my website back with all those rewritten urls and the softwares and its licenses.
Now please help me out in below stuff.
How to stop further attack and further compramisation of server.
View 9 Replies
View Related
Feb 19, 2007
My site is being attacked by what appears to be a dictionary attack on my mail account. They are sending e-mails to random accounts at my domain from random e-mail accounts from somewhere else. Each of their messages is coming from a unique e-mail address and a unique IP address.
Now, we have some dictionary ACL installed that basically blocks any IP address that is caught doing this. So we are blocking tons of IP addresses, but they keep coming at us with new ones. We also have it setup so that the mail is rejected right away for any accounts that aren’t actual e-mail accounts of yours. However, they are hitting the server so hard that it doesn’t seem to be making any difference.
View 17 Replies
View Related
Jan 6, 2009
I have a client who's server has got DDOS attack. It causes the network disruption and DC wants to turn off the server. My client feels it stupid to turn off the server just like that.
can large attacks prevented server side?
View 11 Replies
View Related
Jun 18, 2008
Ever since Monday morning, my site has had problems because the server at my host is under attack.
Most of Monday my site was down. Then Monday late afternoon, it came back...I thought. The forum is up and running, but the rest of the site, built on WordPress, is screwy.
Most of the plugins aren't working because of inability to connect with the database.
I can't log in to my cPanel at all and haven't been able to since Sunday.
This is the first time I've experienced anything like this, lasting this long.
It has me wondering if I should start considering a new host. I have loved their service, especially their speedy support (native English speaking to boot) so I hate to leave but I'm not sure if their service is going a little downhill or not.
View 8 Replies
View Related
Jan 11, 2007
I have a question related DDOS attack. My hosting provider told me that my Server was DDos attacked few days ago. But in those days my server worked fine only apache server was down. The strange fact is that in the same day with this "DDOS attack" one of theyr admins worked something on SSL section of my server and during this operation the SSL hosts were down and httpd worked slow.
Inthe passed 3 months httpd worked very slow and after 2-3 restarts of httpd service the load droped down below 3.00 . I believe theyr httpd service was already with problems and that SSL configuration cause that apache failure in that day with "ddos attack"
I repeat in that day ONLY ssl hosts worked fine and non SSL hosts were down.
It's possibile on DDOS attack that load to be unde 0.5 , SSL hosts to work fine, FTP, Mail and other stuf to work like there is nobody on server (VERY FAST)?
View 1 Replies
View Related
Sep 22, 2007
on one my root server runs a DDOS attack, apparently from a Botnet, however all have the same Referer. Who can give me Tipps, how I can prevent the attacks? Preferably evenly stop over the Referer?
View 6 Replies
View Related
Apr 9, 2007
this is my server and i host only one site as upload image but it is too slow and usully apache down
how i can optimize this server please
Processor Information
Processor #1 Vendor: GenuineIntel
Processor #1 Name: Intel(R) Pentium(R) 4 CPU 2.26GHz
Processor #1 speed: 2262.422 MHz
Processor #1 cache size: 512 KB
Memory Information
Memory: 1002104k/1015744k available (2150k kernel code, 12844k reserved, 716k data, 164k init, 98240k highmem)
System Information
Linux 2.6.9-42.0.3.EL #1 Fri Oct 6 05:59:54 CDT 2006 i686 i686 i386 GNU/Linux
Physcial Disks
Current Memory Usage
total used free shared buffers cached
Mem: 1003164 976220 26944 0 102932 471740
-/+ buffers/cache: 401548 601616
Swap: 1052216 171412 880804
Total: 2055380 1147632 907748
View 4 Replies
View Related
Jan 6, 2008
frends now iam haveing dedicated server with pentium-4 and RAM is 2GB,my site online members is more than 100 members,now i feel slow in server,what i have add extra RAM or any chage in server
View 5 Replies
View Related
Jun 19, 2007
Why is my hosting server usually slow and down?
CPU Usage : 100%
Main : >3GB (total physical memory: 3GB)
i dont know Do user access to website that are hosted on my server too crowded make server slow while bandwidth only have 4MB.
View 9 Replies
View Related
Sep 7, 2007
Server is dead slow. Its 3.0 1GB Ram Plesk Lniux Red Hat E4 machine. The top -c result is as below.
197 total, 6 running, 191 sleeping, 0 stopped, 0 zombie
Cpu(s): 4.0% us, 1.7% sy, 0.3% ni, 0.0% id, 94.0% wa, 0.0% hi, 0.0% si
Mem: 1027556k total, 953880k used, 73676k free, 23604k buffers
Swap: 2040244k total, 102308k used, 1937936k free, 87872k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
3167 mysql 15 0 288m 67m 4336 S 0.8 6.8 40:37.97 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --
3247 apache 18 0 125m 75m 4344 D 0.7 7.5 0:00.34 /usr/sbin/httpd
3039 root 26 10 13628 5808 2656 S 0.3 0.6 0:00.69 mytop
3250 apache 16 0 121m 71m 4520 R 0.3 7.1 0:00.35 /usr/sbin/httpd
4671 apache 15 0 141m 89m 6512 S 0.2 9.0 0:57.54 /usr/sbin/httpd
1882 popuser 15 0 4176 700 564 S 0.2 0.1 0:00.17 /usr/bin/pop3d Maildir
2111 popuser 15 0 4036 712 564 S 0.2 0.1 0:00.47 /usr/bin/pop3d Maildir
3327 apache 17 0 124m 73m 5556 R 0.2 7.3 0:00.50 /usr/sbin/httpd
1 root 16 0 3580 484 456 S 0.0 0.0 0:02.11 init [3]
2 root 34 19 0 0 0 S 0.0 0.0 0:14.01 [ksoftirqd/0]
3 root 5 -10 0 0 0 S 0.0 0.0 0:00.56 [events/0]
4 root 9 -10 0 0 0 S 0.0 0.0 0:00.00 [khelper]
5 root 15 -10 0 0 0 S 0.0 0.0 0:00.00 [kacpid]
19 root 5 -10 0 0 0 S 0.0 0.0 0:00.00 [kblockd/0]
40 root 10 -10 0 0 0 S 0.0 0.0 0:00.00 [aio/0]
20 root 15 0 0 0 0 S 0.0 0.0 0:00.00 [khubd]
39 root 15 0 0 0 0 S 0.0 0.0 4:09.01 [kswapd0]
186 root 25 0 0 0 0 S 0.0 0.0 0:00.00 [kseriod]
295 root 15 0 0 0 0 D 0.0 0.0 2:29.80 [kjournald]
1373 root 6 -10 2272 376 372 S 0.0 0.0 0:00.02 udevd
1606 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 [kauditd]
1648 root 6 -10 0 0 0 S 0.0 0.0 0:00.00 [kmirrord]
1672 root 15 0 0 0 0 S 0.0 0.0 0:00.00 [kjournald]
1673 root 19 0 0 0 0 S 0.0 0.0 0:00.00 [kjournald]
2443 root 15 0 1608 528 456 D 0.0 0.1 2:14.13 syslogd -m 0
2447 root 16 0 2696 368 316 S 0.0 0.0 0:00.00 klogd -x
2474 rpc 15 0 3304 404 400 S 0.0 0.0 0:00.00 portmap
2493 rpcuser 18 0 2648 528 524 S 0.0 0.1 0:00.00 rpc.statd
2519 root 16 0 4672 188 152 S 0.0 0.0 0:00.10 rpc.idmapd
2590 root 15 0 1952 436 284 S 0.0 0.0 0:00.07 /usr/sbin/smartd
2599 root 19 0 1940 356 352 S 0.0 0.0 0:00.00 /usr/sbin/acpid
2659 named 16 0 43736 7664 1884 S 0.0 0.7 12:22.15 /usr/sbin/named -u named -c /etc/named.conf -u named -t /var/name
2702 root 16 0 4956 912 792 S 0.0 0.1 0:03.86 /usr/sbin/sshd
2715 root 16 0 3104 712 620 S 0.0 0.1 1:02.87 xinetd -stayalive -pidfile /var/run/xinetd.pid
2869 postgres 16 0 19772 1440 1332 S 0.0 0.1 0:00.08 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data
2873 postgres 18 0 10572 216 176 S 0.0 0.0 0:00.00 postgres: stats buffer
View 6 Replies
View Related
Mar 5, 2007
My server is so slow I don’t know where the problem is
Server Load from 2 to 8 Monthly bandwidth 1300 GB Unique visitor 4000 - 5000 daily Page loads 13.000 – 20.000
This is current server features
Intel Pentium 4 2.8Ghz 1024MB RAM Bandwidth: 1500GB
View 6 Replies
View Related
May 14, 2009
I dont know much about what could be cuasing this so i come to you for advice, i am currently at wired tree on their VPS384 package with 348MB of ram and my site is really slow to load [url]sometimes it is so embaressing to show people i just dont bother, i am sure this is deferring visitors from my content how can i speed this up?
I can add more ram but it will push the price and if the price goes too high i might aswell move to a Hybrid with wiredtree.
View 13 Replies
View Related
Jun 22, 2009
problem with my server running CentOS 5.3.
I noticed that there are huge pings to my server from time to time, example:
------------------
64 bytes from HOSTNAME (server-IP): icmp_seq=0 ttl=60 time=2.93 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=1 ttl=60 time=2.70 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=2 ttl=60 time=1901 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=3 ttl=60 time=899 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=5 ttl=60 time=2.69 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=6 ttl=60 time=2.62 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=4 ttl=60 time=2132 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=8 ttl=60 time=2.57 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=7 ttl=60 time=1190 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=10 ttl=60 time=2.65 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=9 ttl=60 time=1048 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=12 ttl=60 time=2.74 ms
64 bytes from HOSTNAME (server-IP): icmp_seq=11 ttl=60 time=1205 ms
------------------
First I thought that it is network related, but most strange for me was that I did not have any packets lose.
Then I tried to ping from my server to other hosts - situation was the same - some ping were good and some were huge (700ms, 800ms, even 2000ms)
I checked:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
and it was 65536
Then I checked:
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count
and it was ~1600 so normal.
dmesg was showing such errors:
conntrack_ftp: partial 227 3331059707+13
Then I checked ifconfig, here is the output:
------------------
eth0 Link encap:Ethernet HWaddr 00:24:21:57:2B:6F
inet addr:MAIN=IP Bcast:BCAST=IP Mask:255.255.255.192
inet6 addr: fe80::224:21ff:fe57:2b6f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:170557113 errors:0 dropped:2421127049 overruns:0 frame:0
TX packets:182047660 errors:0 dropped:46 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2756835074 (2.5 GiB) TX bytes:79640621 (75.9 MiB)
Interrupt:82 Base address:0xe000
------------------
Strange for me was:
RX packets [...] dropped:2421127049
TX packets [...] dropped:46
I did not have such dropped information on all my other servers. Dropped counter for RX was constatnly increasing.
So I decided to restart all services on the server. After restarting network and ipaliases - problem disappeared. RX dropped counter is still rising, but I do not have any slowdowns on the server and pings are normal.
My question is - does anyone could have any idea what can casue my problem and how can I prevent this in the future?
View 5 Replies
View Related
