DDOS on Mail server?

Question

My server has been down most of the day, running top shows several Apache processes (httpd) each one using 70% or more of the CPU, and MySql eating almost all memory.

I have tried rebooting the server, restarting the services and each time the situations goes back to the same.

running:

netstat -n | grep :80 | wc -l

to see the number of connections open to the web server shows around 600 at some points.

That made my think I'm under a DDOS but when I run

netstat -a

There is a tons of connections (more than 200) that look like this:

tcp 0 0 mail.my-domain.com:tproxy mail.my-domain.com:55907 TIME_WAIT
tcp 0 0 mail.my-domain.com:tproxy mail.my-domain.com:55687 TIME_WAIT
tcp 0 0 mail.my-domain.com:tproxy mail.my-domain.com:55733 TIME_WAIT
tcp 0 0 mail.my-domain.com:tproxy mail.my-domain.com:55909 TIME_WAIT
tcp 0 0 mail.my-domain.com:tproxy mail.my-domain.com:55893 TIME_WAIT

Why could be my mail subdomain opening so many HTTP connections?

My mail server is EXIM, when I check "SHOW PROCESSLIST" on MySQL all that I see is bunch of Sleep commands running.

What can I do? I'm running out of ideas, PLEASE help!

score 0 · Answer 1 · answered Aug 10 '13 at 05:25

0

put iptables for ddos and port scanning attack. you can also use tools like psad or rootkit. I am using my own iptable script which I created for this purpose. Modify the script ,test in teseting server first and then implement. fail2ban is also good tool. you can use it for this purpose. just try and give feedback of current result

answered Aug 10 '13 at 05:25

Sharad Chhetri

129
4

Check the all mysql queries also.It might be possible the query has some issue and cause the mysql to consume cpu. – Sharad Chhetri Aug 10 '13 at 05:28

DDOS on Mail server?

1 Answers1