I am running CentOS 6 with http -2.2.15
Going under HTTP attack, i can see many http process running.
> netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
> 1 established)
> 1 Foreign
> 2 LAST_ACK
> 11 LISTEN
> 15 FIN_WAIT2
> 19 CLOSING
> 27 FIN_WAIT1
> 91 SYN_RECV
> 116 ESTABLISHED
> 10399 TIME_WAIT
Count of all connections:
netstat -an | grep :80 | wc -l
10533
Count all unique IP address:
netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
231
Please, advice what we could do to find out who is making the most connects?
PS: server load has not been affected by this attack though.
Thanks for any assistance.
Best Answer
These are blank lines being counted, adding
grep -v '^$'
before the uniq in the pipeline will resolve it. It is very possible this is not an attack, but perhaps a software problem. What are your normal numbers? I have seen articles about MySQL 4/5 causing a high number of TIME WAIT state connections. Have you had any new installations or updates,config changes that correspond with the problem?