Background:
I have Apache 2 running on ubuntu. There is a low usage on it and mostly being accessed for a web service URL from mobile apps. It was working fine until I installed SSL certificates. I now have both http and https. When I access the server using https, I get a fairly quick response (but probably not as fast as before). When I use http, it's so slow.
What I tried:
From this post:
- I
curl localhostfrom the host and it takes some time, meaning there is no routing issue. - The server runs on Amazon EC2 instance and is managed by me only.
Also:
- I see that Apache once running, creates the maximum number of processes it is allowed to, which was not the case before. I lowered the MaxClients to 20 and I think I'm getting faster responses but it still takes over a minute and I always have MaxClients Apache processes.
dmesgreturns many[ 1953.655703] TCP: Possible SYN flooding on port 80. Sending cookies.- When I netstat I get many entries with
SYN_RECV. Possibly a DDoS attack? - From EC2's monitoring diagrams I see a pattern of high "Maximum Network In (Bytes)" since 2 days ago. By the way the server is still being tested, the actual traffic is very low and not consistent.
- I tried to go with this solution to limit incoming connections using
iptables, still no luck, but I'm trying.
Question:
What could be the problem? Is this a DDoS attack?
Update:
I discussed this problem here. It was indeed a DDoS attack; some solutions are discussed too.
Best Answer
Next time, you might want to use something like
apachetoportail -f /var/log/httpd/access_logto have a better idea of whats going on. You probably would have seen a lot or requests coming in, quite possibly with a recognizable pattern: such as specific ip ranges, or same url's, maybe brute force attemps on some login form etc. You might even want to automate this by putting those ip ranges into an iptables block rule if the url requests go high enough in a certain amount of time.