I installed Nagios recently on a Debian machine running an Apache web server among other things.
The thing is that lately, Nagios tells me that the HTTP service is failing intermittently and it seems that, at random moments, the server gets A TON of connections from its external address and a whole lot of apache2 processes start literally forking my computer up the arse.
To explain this, imagine my public IP address is 1.2.3.4 and I have a webserver running in a LAN in 192.168.0.10 and 192.168.0.1 is a router that NAT's the http traffic in and out.
Whenever the event occurs I see (through netstat) a lot of tcp connections in ESTABLISHED state from 192.168.0.10:randomport to 1.2.3.4:80 (Outgoing connections?) and another ton of tcp6 connections also in ESTABLISHED state from 1.2.3.4:randomport to 192.168.0.10:80.
I really don't know what is going on, with a regular DDoS I'd expect multiple foreign addresses but not my own public IP address.
The thing is that I don't know if it's Nagios itself that may be causing this or it had been happening before and I didn't know it.
Anyone has any idea about what might be going on?
Thanks a lot
PD: ATM I put an iptables rule and it seems that it fixes it without affecting the service, but I want to know what is behind this, so I'm deleting the rule for further tests.
PD2: Further analysis of a netstat output shows that the randomports match between IP's so it seems that my machine is DoSing itself out of misery? Running the check_http nagios plugin when the machine is not busy works correctly and doesn't cause the event, so something else must be doing it, any ideas on how to narrow it?
EDIT: ss revealed that the ones ORIGINATING the connections are apache2 processes, so basically apache2 is just making connnections to itself?
