I am seeing a huge number of connections from a single IP.
# netstat -alpn | grep :80 | grep 92.98.64.103
tcp 0 0 my.ip.address.x:80 92.98.64.103:45629 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:44288 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:48783 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:40531 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:54094 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:47394 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:43495 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:55429 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:42993 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:49542 TIME_WAIT -
tcp 0 0 my.ip.address.x:80 92.98.64.103:54812 TIME_WAIT -
There are 419 such lines. But I see only 1 request from 92.98.64.103 in my access log. Is this DoS attack?
UPDATE - 419 Connections are from a single IP. There are several such IPs with over 100 connections.
The normal RAM usage of my server is around 2-3 GB. But at that time it was using 15GB RAM.
root@mars [~]# netstat -alpn | grep ':80 .*TIME_WAIT' | wc -l
6728
UPDATE 2 - TIME_WAIT increased to over 10000 in a few seconds
root@mars [~]# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
1 established)
1 Foreign
4 CLOSE_WAIT
9 FIN_WAIT2
34 LAST_ACK
39 SYN_RECV
44 LISTEN
45 CLOSING
68 FIN_WAIT1
128 ESTABLISHED
10261 TIME_WAIT
But the web server is loading fine without any problem.
419 measly connections is not a DoS.
On one particular medium-usage webserver at the moment I have:
384 connections in this state.
How many per IP?
It's unusual to have so many from one IP - my guess is a PMTU problem resulting in terminated connections without requests being made.
If you're concerned, dump the traffic.
I'd recommend dropping down the number of seconds the socket stays in TIME_WAIT. Add the following to
/etc/sysctl.conf:and run: