This article provides guidance on how to determine if your server is under attack and how to manage it effectively. Below are suggested steps to help you assess your server’s status and identify potential issues.
Step 1: Check Server Load
If you notice your server or website is running slowly, the first step is to check the server load. You can do this using the following commands:
To determine the number of processors on your server, use:
grep processor /proc/cpuinfo | wc -l
nproc
These commands will return the number of processors on your server (e.g., 1, 2, 4, etc.).
Next, to check the server load, use:
uptime
cat /proc/loadavg
The output of these commands provides insights into server load over 1, 5, and 15 minutes. For instance, if you have 1 processor, a load average of 1.00 represents full CPU utilization. Load averages like 1.50, 2.23, 8.14 indicate the CPU is overloaded by 50%, 123%, and 714% respectively. While short-term overloads (e.g., 50% or 123%) might be acceptable, sustained high values could signal a problem, especially if the load is increasing.
Step 2: Monitor Network Traffic
High server load could be due to legitimate traffic, but it could also indicate an attack. To further investigate, monitor network traffic using the netstat command in a Linux environment:
To see the number of connections each IP has to your server:
netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | sort | uniq -c | sort -nk1 -r
This helps identify IP addresses making frequent connections. While some repeated connections might be normal (e.g., from shared IP networks), a single IP with 100+ connections could be suspicious.
Additional netstat commands for monitoring:
1. List all active connections:
netstat -na
2. Show specific traffic (e.g., port 80):
netstat -an | grep :80 | sort
3. Count connections by IP via TCP and UDP ports:
netstat -anp | grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
These commands can help you identify unusual network activity.
Step 3: Respond to a Potential Attack
If you visit your website and notice it’s slow or encountering 5xx errors, and your server load is high, this could indicate an attack. If you identify unknown IPs making numerous connections, you might need to take action.
To block a suspicious IP using iptables:
iptables -A INPUT -s 111.11.1.1 -j DROP (or REJECT)
service iptables save
service iptables restart
If the server remains slow, even after blocking IPs, there may be lingering Apache processes from previous connections. In this case, you can kill all Apache processes and restart the service:
killall -KILL httpd
service httpd start
Final Note
This article offers a basic approach to diagnosing whether your server is under attack. There are many other tools, methods, and procedures available for more advanced investigation and mitigation. Consider this a starting point for identifying and addressing potential threats to your server.
