Wednesday, August 19, 2009

apache running processes sort

SkyHi @ Wednesday, August 19, 2009
[root@home log]# netstat -an | grep :80 | sort
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.101:80 64.180.94.56:1265 TIME_WAIT
tcp 0 0 192.168.0.101:80 64.180.94.56:1266 TIME_WAIT
tcp 0 0 192.168.0.101:80 64.180.94.56:1275 FIN_WAIT2
tcp 0 0 192.168.0.104:80 208.181.49.69:22399 ESTABLISHED
tcp 0 0 192.168.0.104:80 208.181.49.69:22402 ESTABLISHED
tcp 0 0 192.168.0.121:80 154.5.60.241:60893 ESTABLISHED
tcp 0 0 192.168.0.121:80 154.5.60.241:60894 ESTABLISHED
tcp 0 0 192.168.0.134:80 76.99.30.107:40234 FIN_WAIT2
tcp 0 0 192.168.0.134:80 76.99.30.107:40236 FIN_WAIT2
tcp 0 0 192.168.0.134:80 76.99.30.107:40238 FIN_WAIT2
tcp 0 0 192.168.0.165:80 116.50.163.226:3314 TIME_WAIT
tcp 0 0 192.168.0.165:80 116.50.163.226:3318 TIME_WAIT
tcp 0 0 192.168.0.165:80 116.50.163.226:3320 ESTABLISHED
tcp 0 0 192.168.0.178:80 79.125.49.52:43245 TIME_WAIT
tcp 0 0 192.168.0.191:80 70.90.164.174:59111 FIN_WAIT2
tcp 0 0 192.168.0.191:80 70.90.164.174:59112 FIN_WAIT2
tcp 0 0 192.168.0.191:80 70.90.164.174:59113 FIN_WAIT2
tcp 0 0 192.168.0.191:80 70.90.164.174:59114 FIN_WAIT2
tcp 0 0 192.168.0.191:80 71.113.160.10:60300 FIN_WAIT2
tcp 0 0 192.168.0.191:80 71.113.160.10:60301 FIN_WAIT2
tcp 0 0 192.168.0.39:80 70.71.251.115:34584 ESTABLISHED
tcp 0 0 192.168.0.39:80 70.71.251.115:38894 ESTABLISHED
tcp 0 0 192.168.0.39:80 70.71.251.115:40175 ESTABLISHED
tcp 0 0 192.168.0.39:80 70.71.251.115:41912 ESTABLISHED
tcp 0 0 192.168.0.39:80 70.71.251.115:47310 ESTABLISHED
tcp 0 0 192.168.0.39:80 70.71.251.115:47654 ESTABLISHED
tcp 0 0 192.168.0.75:80 8.9.209.2:54209 TIME_WAIT
tcp 0 0 192.168.0.77:80 75.156.50.192:38300 ESTABLISHED
tcp 0 0 192.168.0.77:80 75.158.138.131:61653 TIME_WAIT
tcp 0 0 192.168.0.84:80 67.195.115.253:46392 TIME_WAIT
tcp 0 1 192.168.0.191:80 32.157.97.107:49859 LAST_ACK
tcp 0 1 192.168.0.191:80 32.157.97.107:49860 LAST_ACK
tcp 0 1 192.168.0.191:80 32.157.97.107:49861 LAST_ACK
tcp 0 15171 192.168.0.191:80 64.71.15.195:25977 LAST_ACK
tcp 0 613 192.168.0.191:80 64.71.15.195:25969 LAST_ACK
udp 0 0 0.0.0.0:800 0.0.0.0:*
[root@home log]# netstat -plan|grep :80 |awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n
1 207.134.81.127
1 209.52.151.198
1 64.71.15.195
1 65.55.109.191
1 66.183.59.184
1 75.156.50.192
2 0.0.0.0
2 154.5.60.241
2 174.7.0.216
2 199.212.19.130
2 64.180.94.56
2 67.195.115.253
2 79.125.49.52
3 116.50.163.226
3 72.30.87.105
3 76.99.30.107
4 24.80.152.230
4 68.223.136.135
4 68.231.228.199
4 76.181.41.169
6 70.71.251.115
6 75.157.198.143


Check the load on the server by using command,
# w
Also try to find if there is large number of HTTP process running use the command " ps -aux|grep HTTP|wc -l "

1 ) At command prompt execute the below command

#netstat -lpn|grep :80 |awk '{print $5}'|sort

2) Check each block of ips. If you found that you have more than 30 connection from a single ip. Under normal cases there is no need for that many number of connection requests from a single IP. Try to identify such ips/networks from the list you get.

3) If more than 5 host/ip connects from the same network then its a clear sign of DDOS .

4) Block that ips/networks using iptables /Apf

#iptables -A INPUT -s -j DROP

If you have apf then just add the ips which you want to block in the file /etc/apf/deny_hosts.rules

5) Keep on continuing this process until the attack on the machine gets reduced.