Now the server reacts ok, and that ip address is gone from netstat output.
Is there a way to see what exactly they’re trying to look at (on the server that is obviously, not “their screen” or so 
?
And now (I’m really sorry for this) its slow again, and netstat is full of two ip addresses:
193.191.210.10 and 193.191.210.2
they belong to the department of finances of the belgian government:
mineco.fgov.be and mail.mineco.fgov.be
Maybe the fact that one is mail and the other (seems) normal is a bit strange? I mean, on the server a lot at the same time.
maybe this is normal, but it’s just what caught my eye.
Yeah, it kind of sounds like some hosts are hitting you pretty hard.
I’m not really sure why that variety of systems are finding you, but perhaps you may want to look into using some sort of anti-DoS tool.
You could just block a single host at a time using iptables or so, but it looks like they’re rarely the same ones.
There’s a few options out there – you might look into some Apache modules such as mod_evasive or mod_qos.
There’s also “Ddos deflate”, which is a simple bash script that runs regularly and uses iptables to block hosts with more than N connections.
There’s likely to be other great tools out there too, I’m not too familiar with this realm unfortunately.
Also, if you haven’t already, I’d definitely lower the “Timeout” setting in Apache to at least 30.
Until you find a tool that works for you, you’d probably just want to block the hosts in question that appear to have an “excessive” amount of connections open.
-Eric
ok thanks for that. I did change the default apache setting from 300 to 30 as you mentioned earlier.
I’l check about those tools.
Right now I’ve got zillions of …haarlem.nl in my netstat.
Is there a way to see if they’re trying to contact a ‘real thing’ on the server, for example a file? (I know this sounds stupid but I’m just being curious)
The best you can do, I think, would be to look around in the Apache logs, and see if that particular IP is listed as having requested anything.
There are a variety of types of DoS attacks… the recently created slowloris attack just creates a bunch of connections to Apache, and never does anything with them.
However, in it’s case, it doesn’t typically create a high load on the server, it just makes Apache slow to respond.
-Eric
thanks for your answer yet again Eric. I’ve managed to install mod_evasive, it comes with a perl test script which showed it seems to work.
Curious what will happen now…
I didn’t have a high load nor mem. usage, it was just apache indeed.
Still wondering why somebody would want to do it to one of my sites or server (I’m a nice guy you see 
and the sites are nothing special. Probably just boredom. (of the dos attacker, not of me making those sites)
I’ll keep you updated.
and thanks for your clues and ideas in this thread, you’ve helped me a lot.
i don’t think anyone will start ddossing out of boredom, it’s too timeconsuming and costly.
I would contact my ISP to see if anyone on their network or even they themselves are a target and you suffer from some reminiscence. Or perhaps a switch over there is out of control…let them check
I worked with a big host who was regularly a target. A good ddos would kill all their Apache servers until the attack was properly mitigated…
I’ll start rereading all the messages here, as today it seems to be happening again… But I thought I’d upload the netstat file already so you can have a look too. Going to have to block 165.72.200.11. Crazy thing is, I’ve got mod_evasive up and running since last time…
Does anyone know how i can find out what website on my server they’re trying to ‘attack’?
I’ll try to learn how to block an ip.
Yeah, looks like a DoS attack originating from that IP (either that, or an extremely poorly behaved web browser!).
Using mod_evasive can be helpful, but it may not always do the trick, as you’re seeing.
DoS attacks are a pain in the butt, as you’re seeing
There are additional ways to try and mitigate these sorts of attacks…
Some folks have suggested they had good luck with DDOS Deflate:
http://deflate.medialayer.com/
All that script does, though, is check the number of connections for any particular IP address at any given moment – and if it exceeds a particular threshold, it uses iptables to block the IP.
The command line it uses is:
iptables -I INPUT -s IP_ADDRESS_HERE -j DROP
Thanks Eric, had found the iptables thing, and managed to get iptables up and running (and block that ip address). Set timout apache to 10 and server is serving again.
Will now look into ddos deflate
is there a way to see what site they were trying to attack?
I’ve installed ddos-deflate
thanks!