DDOS attack help me

**dheeraj4uuu** · 05-29-2009

Hello,

My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..

Code:

netstat -an | grep :80 | sort

and the result is this

Code:

tcp        0   1491 ::ffff:95.211.10.169:80     ::ffff:213.215.100.110:2263 LAST_ACK    
tcp        0   1493 ::ffff:95.211.10.169:80     ::ffff:85.207.126.231:52694 LAST_ACK    
tcp        0   1533 ::ffff:95.211.10.169:80     ::ffff:207.54.100.81:1907   LAST_ACK    
tcp        0   1555 ::ffff:95.211.10.169:80     ::ffff:94.216.199.59:49666  LAST_ACK    
tcp        0   1556 ::ffff:95.211.10.169:80     ::ffff:79.199.224.51:1250   LAST_ACK    
tcp        0   1558 ::ffff:95.211.10.169:80     ::ffff:207.219.125.9:4445   LAST_ACK    
tcp        0   1569 ::ffff:95.211.10.169:80     ::ffff:122.161.153.56:2788  LAST_ACK    
tcp        0   1579 ::ffff:95.211.10.169:80     ::ffff:62.31.54.30:50167    LAST_ACK    
tcp        0   1584 ::ffff:95.211.10.169:80     ::ffff:79.101.147.239:54629 LAST_ACK    
tcp        0   1604 ::ffff:95.211.10.169:80     ::ffff:89.132.65.227:4880   LAST_ACK    
tcp        0   1617 ::ffff:95.211.10.169:80     ::ffff:82.25.181.8:4227     LAST_ACK    
tcp        0   1628 ::ffff:95.211.10.169:80     ::ffff:77.46.252.70:2116    LAST_ACK    
tcp        0   1723 ::ffff:95.211.10.169:80     ::ffff:88.178.111.6:3838    LAST_ACK    
tcp        0   3252 ::ffff:95.211.10.169:80     ::ffff:76.120.33.115:4181   LAST_ACK    
tcp      106      0 ::ffff:95.211.10.169:80     ::ffff:174.132.216.26:38244 ESTABLISHED 
tcp      163      0 ::ffff:95.211.10.169:80     ::ffff:193.2.216.130:41690  CLOSE_WAIT  
tcp      164      0 ::ffff:95.211.10.169:80     ::ffff:76.174.2.134:65249   CLOSE_WAIT  
tcp      177      0 ::ffff:95.211.10.169:80     ::ffff:119.63.194.124:46871 CLOSE_WAIT  
tcp      196      0 ::ffff:95.211.10.169:80     ::ffff:77.232.69.160:51396  CLOSE_WAIT  
tcp      213      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.105:38332  CLOSE_WAIT  
tcp      218      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:45186  CLOSE_WAIT  
tcp      218      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:46711  CLOSE_WAIT  
tcp      218      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:47529  CLOSE_WAIT  
tcp      219      0 ::ffff:95.211.10.169:80     ::ffff:67.228.157.57:53628  CLOSE_WAIT  
tcp      225      0 ::ffff:95.211.10.169:80     ::ffff:75.7.19.214:61179    CLOSE_WAIT  
tcp      226      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.109:57823  CLOSE_WAIT  
tcp      226      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.98:45852   CLOSE_WAIT  
tcp      228      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.98:32786   CLOSE_WAIT  
tcp      231      0 ::ffff:95.211.10.169:80     ::ffff:75.37.34.143:50308   CLOSE_WAIT  
tcp      247      0 ::ffff:95.211.10.169:80     ::ffff:174.36.52.110:35686  CLOSE_WAIT  
tcp      253      0 ::ffff:95.211.10.169:80     ::ffff:75.37.34.143:50198   CLOSE_WAIT  
tcp      253      0 ::ffff:95.211.10.169:80     ::ffff:97.74.24.1:34023     CLOSE_WAIT  
tcp      275      0 ::ffff:95.211.10.169:80     ::ffff:66.249.68.230:33723  CLOSE_WAIT  
tcp      332      0 ::ffff:95.211.10.169:80     ::ffff:74.55.61.2:3147      CLOSE_WAIT  
tcp      367      0 ::ffff:95.211.10.169:80     ::ffff:213.55.78.183:38888  ESTABLISHED 
tcp      368      0 ::ffff:95.211.10.169:80     ::ffff:93.86.209.115:58909  CLOSE_WAIT  
tcp      374      0 ::ffff:95.211.10.169:80     ::ffff:87.208.191.218:51908 ESTABLISHED 
tcp      380      0 ::ffff:95.211.10.169:80     ::ffff:82.236.100.52:3241   ESTABLISHED 
tcp      405      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:45525  CLOSE_WAIT  
tcp      405      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:46994  CLOSE_WAIT  
tcp      405      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:48590  CLOSE_WAIT  
tcp      413      0 ::ffff:95.211.10.169:80     ::ffff:71.254.106.108:50578 ESTABLISHED 
tcp      417      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:49632  CLOSE_WAIT  
tcp      420      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:55229  CLOSE_WAIT  
tcp      434      0 ::ffff:95.211.10.169:80     ::ffff:92.249.214.140:49432 ESTABLISHED 
tcp      445      0 ::ffff:95.211.10.169:80     ::ffff:189.19.6.79:62627    CLOSE_WAIT  
tcp      463      0 ::ffff:95.211.10.169:80     ::ffff:79.47.143.218:1558   ESTABLISHED 
tcp      468      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:45015  CLOSE_WAIT  
tcp      468      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:46515  CLOSE_WAIT  
tcp      468      0 ::ffff:95.211.10.169:80     ::ffff:72.30.142.183:48100  CLOSE_WAIT  
tcp      502      0 ::ffff:95.211.10.169:80     ::ffff:85.193.245.38:55076  ESTABLISHED 
tcp      506      0 ::ffff:95.211.10.169:80     ::ffff:72.252.26.104:53420  ESTABLISHED 
tcp      523      0 ::ffff:95.211.10.169:80     ::ffff:212.175.112.14:53611 CLOSE_WAIT  
tcp      528      0 ::ffff:95.211.10.169:80     ::ffff:24.203.90.163:2290   ESTABLISHED 
tcp      529      0 ::ffff:95.211.10.169:80     ::ffff:129.1.31.93:4646     CLOSE_WAIT  
tcp      536      0 ::ffff:95.211.10.169:80     ::ffff:200.77.144.43:42023  ESTABLISHED 
tcp      538      0 ::ffff:95.211.10.169:80     ::ffff:87.208.191.218:51909 ESTABLISHED 
tcp      547      0 ::ffff:95.211.10.169:80     ::ffff:89.134.70.155:4610   CLOSE_WAIT  
tcp      549      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11949  ESTABLISHED 
tcp      552      0 ::ffff:95.211.10.169:80     ::ffff:201.29.216.114:61179 CLOSE_WAIT  
tcp      553      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:38959   CLOSE_WAIT  
tcp      553      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11948  ESTABLISHED 
tcp      556      0 ::ffff:95.211.10.169:80     ::ffff:24.238.26.131:4387   CLOSE_WAIT  
tcp      556      0 ::ffff:95.211.10.169:80     ::ffff:24.238.26.131:4388   CLOSE_WAIT  
tcp      556      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11946  ESTABLISHED 
tcp      561      0 ::ffff:95.211.10.169:80     ::ffff:91.150.114.16:11945  ESTABLISHED 
tcp      565      0 ::ffff:95.211.10.169:80     ::ffff:94.189.144.75:62532  CLOSE_WAIT  
tcp      566      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:39887   CLOSE_WAIT  
tcp      566      0 ::ffff:95.211.10.169:80     ::ffff:71.105.25.22:50343   CLOSE_WAIT  
tcp      569      0 ::ffff:95.211.10.169:80     ::ffff:87.114.146.77:49670  CLOSE_WAIT  
tcp      572      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:36593   CLOSE_WAIT  
tcp      572      0 ::ffff:95.211.10.169:80     ::ffff:69.250.23.83:42953   CLOSE_WAIT  
tcp      572      0 ::ffff:95.211.10.169:80     ::ffff:79.55.86.219:50245   CLOSE_WAIT  
tcp      574      0 ::ffff:95.211.10.169:80     ::ffff:77.51.10.24:46057    CLOSE_WAIT  
tcp      577      0 ::ffff:95.211.10.169:80     ::ffff:87.196.21.10:49359   CLOSE_WAIT  
tcp      583      0 ::ffff:95.211.10.169:80     ::ffff:193.179.147.25:14006 CLOSE_WAIT  
tcp      584      0 ::ffff:95.211.10.169:80     ::ffff:188.48.82.219:49322  CLOSE_WAIT  
tcp      590      0 ::ffff:95.211.10.169:80     ::ffff:120.50.180.171:2153  CLOSE_WAIT  
tcp      604      0 ::ffff:95.211.10.169:80     ::ffff:77.51.10.24:46055    CLOSE_WAIT  
tcp      612      0 ::ffff:95.211.10.169:80     ::ffff:77.51.10.24:46056    CLOSE_WAIT  
tcp      613      0 ::ffff:95.211.10.169:80     ::ffff:86.49.14.151:61271   ESTABLISHED 
tcp      620      0 ::ffff:95.211.10.169:80     ::ffff:89.137.146.69:2894   CLOSE_WAIT  
tcp      621      0 ::ffff:95.211.10.169:80     ::ffff:76.225.187.232:61191 ESTABLISHED 
tcp      628      0 ::ffff:95.211.10.169:80     ::ffff:189.84.86.105:1599   CLOSE_WAIT  
tcp      628      0 ::ffff:95.211.10.169:80     ::ffff:189.84.86.105:1601   CLOSE_WAIT  
tcp      628      0 ::ffff:95.211.10.169:80     ::ffff:189.84.86.105:1603   CLOSE_WAIT  
tcp      632      0 ::ffff:95.211.10.169:80     ::ffff:41.5.28.26:18778     CLOSE_WAIT  
tcp      634      0 ::ffff:95.211.10.169:80     ::ffff:189.30.226.197:61086 CLOSE_WAIT  
tcp      643      0 ::ffff:95.211.10.169:80     ::ffff:189.123.210.44:4998  CLOSE_WAIT  
tcp      649      0 ::ffff:95.211.10.169:80     ::ffff:24.250.124.104:42269 CLOSE_WAIT  
tcp      651      0 ::ffff:95.211.10.169:80     ::ffff:67.10.160.58:32969   CLOSE_WAIT  
tcp      655      0 ::ffff:95.211.10.169:80     ::ffff:125.165.64.213:1462  CLOSE_WAIT  
tcp      656      0 ::ffff:95.211.10.169:80     ::ffff:201.34.141.37:45240  ESTABLISHED 
tcp      661      0 ::ffff:95.211.10.169:80     ::ffff:194.80.32.10:43557   CLOSE_WAIT  
tcp      726      0 ::ffff:95.211.10.169:80     ::ffff:24.177.14.59:1390    CLOSE_WAIT  
tcp      731      0 ::ffff:95.211.10.169:80     ::ffff:200.2.152.130:41983  CLOSE_WAIT  
tcp      733      0 ::ffff:95.211.10.169:80     ::ffff:90.40.196.232:52809  ESTABLISHED 
tcp      733      0 ::ffff:95.211.10.169:80     ::ffff:90.40.196.232:52816  ESTABLISHED 
tcp      760      0 ::ffff:95.211.10.169:80     ::ffff:74.216.117.95:60982  CLOSE_WAIT  
tcp      763      0 ::ffff:95.211.10.169:80     ::ffff:220.227.41.243:42352 ESTABLISHED 
tcp      865      0 ::ffff:95.211.10.169:80     ::ffff:83.103.111.12:2905   ESTABLISHED 
tcp      975      0 ::ffff:95.211.10.169:80     ::ffff:82.80.156.64:1263    CLOSE_WAIT

Am i under DDos...Attack ..if so please tell me how to avoid this...

**centuser1** · 06-01-2009

Originally Posted by dheeraj4uuu

Hello,

My server is using too many httpd process..I think iam under DDOs attack..I executed the following command..

Am i under DDos...Attack ..if so please tell me how to avoid this...

What makes you think your server is being attacked? You say your comp is having too many httpd processes? Can you explain that? Are you running too many occurences of apache?

As far as your netstat, check out the man page for netstat, page 8.

here is some info based on your report. This is just listing what is happening at the moment.

What makes you think you are in a DDOS attack? Is your server crashing, not able to get to it? What is going on as far as a ddos attack?

OUTPUT
Active Internet connections (TCP, UDP, raw)
Proto
The protocol (tcp, udp, raw) used by the socket.

Recv-Q
The count of bytes not copied by the user program connected to this
socket.

Send-Q
The count of bytes not acknowledged by the remote host.

Local Address
Address and port number of the local end of the socket. Unless the
--numeric (-n) option is specified, the socket address is resolved to
its canonical host name (FQDN), and the port number is translated into
the corresponding service name.

Foreign Address
Address and port number of the remote end of the socket. Analogous to
"Local Address."

State
The state of the socket. Since there are no states in raw mode and usu-
ally no states used in UDP, this column may be left blank. Normally
this can be one of several values:

ESTABLISHED
The socket has an established connection.

CLOSED The socket is not being used.

CLOSE_WAIT
The remote end has shut down, waiting for the socket to close.

LAST_ACK
The remote end has shut down, and the socket is closed. Waiting
for acknowledgement.

***elija*** · 06-03-2009

Try this

ps -A | grep httpd

This will show how many httpd processes are running. An apache server can handle 256 of these - although it may be configured to handle less.

**davidanand** · 06-04-2009

it might help you

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

netstat -a -n|grep -E "^(tcp)"| cut -c 68-|sort|uniq -c|sort -n

Thread Tools

Display

DDOS attack help me

Posting Permissions