My server is being flooded until apache becomes non-responsive, and I need some help finding and blocking the responsible IP address(es).
Normally, I don't have more than 150 connections. Now I have thousands:
netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
1 established)
1 Foreign
13 LAST_ACK
20 CLOSING
30 SYN_RECV
41 LISTEN
44 FIN_WAIT1
74 FIN_WAIT2
77 CLOSE_WAIT
273 ESTABLISHED
1960 TIME_WAIT
MRTG graph clearly shows the normal connections until the attack begins:
This is the result of counting connections per IP (end of list only):
netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
5 4.59.90.216
5 4.59.90.222
5 4.59.90.237
5 4.59.90.242
5 74.125.26.95
6 186.158.143.202
6 216.58.219.162
6 4.59.90.251
7 104.24.5.60
7 216.58.192.66
7 4.59.90.212
7 4.59.90.231
7 4.59.90.241
9 216.58.192.98
10 189.177.214.89
10 23.10.101.162
11 4.59.90.226
12 85.94.197.200
25 216.58.219.66
31 216.58.219.130
40 0.0.0.0
86 83.101.136.42
1026 10.0.0.2
The last one is the server's IP, I have not idea why it's shown. Thanks.