Knowledgebase

Large network spikes? DDoS ?!? How to detect?

Posted by phactor, 04-29-2010, 01:17 PM
Hello, One of servers in my rack sometimes use about 800M of traffic, wich causes a general slowness. The normal traffic is about 6~10M during the day, but sometimes ( not everyday at same hour ) we have huge spikes. this is a normal cPanel server with a few accounts and i dont see any strange process running when this happens. The fact is that traffic comes from that port. How can i check what is causing this? Any software i can use to track down the origin? THis is a fresh server, so it hasnt been hacked or something. thanks in advance for your help.
Posted by Snapfiber, 04-29-2010, 01:28 PM
Setup a packet sniffer and when you see that traffic surge coming through, switch it on and take a look at what the traffic looks like.
Posted by SafeSrv, 04-29-2010, 02:08 PM
I would to be on the safe side run a little RKhunter scan... if you have migrated over some sites you might have migrated something that was already there on the previous server. During that hour this happens try this command: See if there's any high amount of connections to any IP's.. Also have you checked your Apache logs ? may be worthwhile having a look.. Do you run any kind of firewall ? DD
Posted by phactor, 04-29-2010, 02:22 PM
Hello, I checked apache logs and cannot find anything weird. I use csf firewall ( still working in an hardware solution ). Regarding the packet sniffer what do you suggest? thanks for your help.
Posted by LiquidWebBenny, 04-29-2010, 02:43 PM
Just to avoid confusion: is the increased traffic inbound or outbound? Assuming outbound: Do you have Mod_security installed? If not, I would recommend it. You can use clamscan to look for php shells and the like. Be careful to run it at off peak times, though, as it can be a bit of a resource hog.
Posted by SafeSrv, 04-29-2010, 03:36 PM
I wouldn't worry about a packet sniffer just now - can you post apache access logs, error logs at the specific time this happens ? Have you checked to see if there's any processes running you don't recognize ? DD
Posted by phactor, 04-29-2010, 03:56 PM
Hello, traffic is inbound Logs are perfectly normal, and i checked processes and didnt find anything.
Posted by WinsNexus, 04-29-2010, 09:15 PM
tcpdump not port 22 can pipe it out to a text file tcpdump not port 22 >> dump.txt Search google for other filters you would like to filter out using the tcpdump command.
Posted by Steven, 04-29-2010, 09:25 PM
Automatic cpanel updates?
Posted by khunj, 04-30-2010, 10:15 AM
Did you check your network stats ?


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Vibus Reseller Account (Views: 450)
ezpzhosting.co.uk review (Views: 538)
Hivelocity Down (Views: 569)
Eleven2 reseller services keep getting worse.. (Views: 555)
SSH, Apache, Everything not accessible from home but elsewhere OK? (Views: 477)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.