Internal DDOS attack???

November 03, 2012
JNH Solutions

We faced a weird problem in the wee hours of Saturday Night / Sunday morning and felt it best to post it in the hope it may help someone else with a similar issue.

Around midnight on of the JNH Solutions servers became quite slow, all indications pointed to a DDOS attack, which stands for Distributed denial of service attack.

It actually wasn’t. It turned out to be a corrupt database table. The system was trying to run the table using multiple connections.

First of all if you run a Linux server and think you may be victim to a DDOS attack, go to your terminal and run:

netstat -n | grep :80 |wc -l

If the amount is kind of high, say 500+ then you have a possible DDOS attack on your hands. The next command you should try groups them up to which IP’s are hogging your servers processing power:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

In my case it turned out to be my own internal server IP address.

My worst fears were that someone had managed to force their way into my web server, but luckily it turned out to be quite minor. I was able to go into phpmyadmin and repair the table quite easily. Once I restarted everything the traffic dropped back to 5% of what it was.

I was also able to identify a few dodgy IP’s that have been constantly spamming some of my WordPress sites by blocking them in the iptables firewall with:

route add reject

Hope this will help someone else with a similar issue.

Facebook Twitter Linkedin Plusone Pinterest Delicious Reddit Stumbleupon Tumblr Email

No comments

Leave a Reply

Your email address will not be published. Required fields are marked *

5 − 4 =