Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


what type of attack is this?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

what type of attack is this?

my webhosting production server often gets cpu load very high suddenly, too many new /usr/sbin/httpd process that eat cpu very high, i got this issue 2 times in this week and the issue around 6-10hours then back normal. the attack made my apache very slow and stopped, cpu load to 40,100 from daily cpu usage average 3 or 4. I have contacted my DC and they told me that my server was not under ddos attack, bandwidth usage was normal and also they activated ddos attack but it didn't help. csf syn flood protection didn't work too.

i use cpanel+cloudlinux and checking cloudlinux lve stat i didn't find any user that use cpu/ep process/nprocess too musch..all were normal..
the following is top/htop screen shoot when i getting attack.. too many /usr/sbin/httpd process that no end
what type of attack is this? how to prevent?

Comments

  • MasonRMasonR Community Contributor

    Probably bots flooding your server or trying to brute force some login on your site. If you don't have fail2ban installed, I'd highly recommend doing that as it can monitor your apache error logs and ban any offending IPs for certain amount of time, mitigating spam/brute force attacks.

    Check out this tutorial here: https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

  • I have seen this on my WordPress sites, and it's like @MasonR says, people is trying to hack/get access to wp-admin. I applied IP restrictions on my wp-admin page, and the issue was solved. But fail2ban will work better if you need other people to have access to your wp-admin (if you are using WordPress).

  • Install CSF and mod_evasive

  • raindog308raindog308 Administrator, Veteran

    nocker said: too many /usr/sbin/httpd process that no end what type of attack is this?

    Your images are broken btw.

    You might look to see where all the connections are coming from. If you're getting a flood from a single IP or a group of IPs, an iptables rule or two to permanently block those IPs would eliminate the problem.

  • JarryJarry Member

    IMHO apache is not very good for handling too many parallel requests. It spawns a lot of child processes and eats all resources quickly. It is not very difficult to kick it down.

    Either switch to nginx, or if you want to stick with apache anyway, use some reverse proxy (i.e. varnish) or CDN.

Sign In or Register to comment.