We just config our website to our new server running on Windows Server 2008.
Our server is quite strong, Xeon quadcore 3.0 and 25GB ram. Running Mysql and Apache
Problem is we are running high on CPU. From taskmanager usually shows 90 -> 100% CPU max in all core. This CPU are all in process httd from Apache.
Running
netstat -ano | find /c "80"
We found out that the server always busy with around 2200 -> 2700 connections on port 80. Could this be a ddos attack, how could we re-config to optimize our server and block unnecessary requests?
Why not enable extended server status (restricted to your IP range) for a look at what is connecting and to where.
http://httpd.apache.org/docs/2.0/mod/mod_status.html
And look in your logs.
Whether it is bad or not really depends on your application and specific situation. Typically when you use netstat to count connections you do it like:
otherwise you will count a large number of connections in TIME_WAIT which is usually normal. You can also count SYN connections to check for a SYN flood attack.
You may find your connection numbers to drop significantly by just counting the ESTABLISHED ones. For example, on one of my servers currently at 6 req/sec there are a total of 1000 connections but only 5 currently in the ESTABLISHED state (most are in TIME_WAIT). On another server, however, there are 1000 connections but 500 in the ESTABLISHED state (20 req/sec and I suspect some sort of KeepAlive setting is on here). From those values your numbers don't necessarily look too bad.
You can also use an extended netstat command to count the number of connections each IP address is making to your server:
A "normal" number of connections/IP again depends on your application. In my case the average is 5-10 so if I ever see significantly more than that I look into it in more detail.