Dear guys,
I have a serious problem with my server.
Sometimes (often at the night), we have an attack on my HTTP (Port 80) and I checked with netstat commands with a lot of switches and features and the only one thing I can understand from these netstat commands is : There are a lot of TCP Connection (on 80 Port) with no IP ! Unfortunately there are a lot of load on my Server Loads.
And when we are restarted the web server all of those connection will be lost and no loads continued on the server and there is no more load on the server until the attack will start.
For example you can watch the result after restarting webserver (apache) about 2 minutes after attack :
[root@hosted-by ~]# netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
9
7 155.121.25.38
1 servers)
1 Address
1 95.85.112.209
The one thing that makes me amazing is : with number of 100 to 150 TCP Connections (on port 80),the loads for my server (a server with 4 GB of RAM and 4 Core Xeon cpu) will grew up to 110 % !
I tried to trace the issue with tcpdump sniffer and I couldn’t find any result from tcpdump.
I just saw some arp packets in tcpdump report from some neighbor IPs on Data Centers (in the same range with my server’s IP address).And now I couldn’t see the IP addresses in tcpdump results again.
What’s your opinion to find the solution for this problem?
I guess that it is something like DOS attack with a new unknown method
!
Thanks all.
Regards.