too many connection to vps

[Cometolearn]

hi,
recently my vps getting to many connection to vps

when i run this command in ssh

netstat -anp | grep 80 | awk '{print $5}' | cut -f1 -d: | sort | uniq -c | sort -n

i am getting this

217 connection from unknown IP how can i resolve this

Please help thanx

 

[REAK]

Try finding whom these ip's belong using http://whois.domaintools.com/

If they seem suspicious you can null route those IP's, if it's some kiddies trying to DoS
route add [IP Address] gw 127.0.0.1 lo

 

[BLuHost]

This could be indeed a DoS attack. The best way to mitigate this is using a DDoS Proxy, but if the attack is not large, you can just use the IP blocking method.

 

[REAK]

This could be indeed a DoS attack. The best way to mitigate this is using a DDoS Proxy, but if the attack is not large, you can just use the IP blocking method.

Best way to mitigate a DoS attack is to use a DDoS proxy ?? :blink:

DoS is Denial Of Service which is different from DDoS (Distributed Denial of Service),
in DoS you have huge connections from a single IP, in case of DDoS there are low connections from a single IP but the no. of IP's are huge so you cant block each of them, however in case of DoS you can easily use IPtables or nullrouting to block it.

 

[BLuHost]

Maybe he suffers from a DDoS attack in the future and he might get downtime due to that

 

[REAK]

(Sorry for going offtopic)
Hey, have you censored the IP or your problem is the IP is not showing ?,
In case the IP is unknown then you can try this

netstat -anp | grep 'tcp\|udp' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | awk '{print $5}' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

 

[Cometolearn]

@serverpolice when i enter ur command in ssh i am getting

13 0.0.0.0

previously its was 217 + connection from blank IP today only 13 from 0.0.0.0


why 0.0.0.0 having to many connection yesterday ?

 

[REAK]

@serverpolice when i enter ur command in ssh i am getting

previously its was 217 + connection from blank IP today only 13 from 0.0.0.0


why 0.0.0.0 having to many connection yesterday ?

Maybe some apache config problem if you are getting huge connections from 0.0.0.0 / 127.0.0.1 .

Check your error logs for more details.

 

[l0calh0st]

Hey,

Do you have CSF running? You can config CSF so it will automatically block IPs that connect X amount in a time frame.

 

[tnhjennis]

Get firewall installed. If you use cPanel, use csf and configure it to block IP's which have large number of connections to the server. If any IP crosses limit you set, it will be blocked automatically. Other option is APF firewall along with the ddos deflate. This script also blocks IP's having large number of connections. But usually software firewall's are useful only if the strength of attack is low if you get high scale attack, ask your dc to use hardare firewall.