I get too connection error on my site from today...
PDOException: SQLSTATE[08004] [1040] Too many connections in lock_may_be_available() (line 167 of /home/sevensibir/domains/7sib.ir/public_html/includes/lock.inc).
I think its an attack, because when I run mysqltuner.pl
I get:
[!!] Highest connection usage: 100% (152/151)
but I know I have about 500 visit per day. how can I found if this is an attack. and how can I stop it?
Probably not an attack. Your application is opening too many connections to MySQL. This could result from a DDoS (or simply a lot of legitimate traffic). However, it's more likely that your application (Drupal) is not closing connections properly. This could be that it's not closing them at all (are you using "persistent" connections? -- if so don't) or just taking too long to complete and thus too long before closing the connection.
You can read logs and see where those connections are coming from in your webserver's access log. Also make sure your mysql has a high enough max connections (see
my.cnf
and checkmax_connections=
).If you still feel you are under attack, you can try a HIDS like OSSEC. It automatically detects IP's that are doing too many requests to be human. You might need to finetune this for your application.
PDOException = your website's asking for a lot of information.
If your MySQL server isn't accessible from the net and is only contacted via localhost from your web server, then probably not. This is more of an indicator that your server is underpowered or MySQL is misconfigured and needs tuning to keep up with traffic being generated by your site.
To see if there's any attack on your website, you need to consult your server logs. Most people underestimate what kind of traffic their site generates when their customers, Google, Yahoo, Bing, Baidu and Yandex decide to scour their site all at once. Yes, it is a Denial of Service event but not an attack.
Your server's falling over because it can't handle the traffic. You need to read through your web server access logs to determine this, an analysis tool like Weblog Expert can help out in this process. Once you've determined the traffic sources, only then can you determine whether it's malicious or too much valid traffic on a server that can't keep up.
No.
There's nothing here to support your hypothesis. If you can't confirm that this level of traffic was abnormal then you haven't got adequate monitoring in place.
For capacity management this is a useless statistic. You need to know how many concurrent connections you have, how long they last, and what proportion of them are for static content. Thn you need to start asking yourself why so many connections are appearing at the database - you're may be allowing too many connections on the webserver.
The FIRST thing you need to do is get machinery in place to be able to answer these questions quickly, then you can start thinking about measures to ensure continuity of service. For DOS prevention there's a lot of things you do with iptables, using an application firewall or a feedback tool like fail2ban is helpful, but putting an event based reverse proxt server will have the biggest impact. Tuning your application, in particular the MySQL queries should give far greater capacity. A quick fix for capacity is, to check if your PHP code explicitly closes mysql connections - if not, then add an auto-prepend file which calls mysql_close() via register_shutdown_function()