Question
How can I tell if Apache is experiencing a DDoS (Distributed Denial-of-Service) attack?
Answer
If Apache is experiencing a DDoS attack, you may notice that your server's Web sites are timing out when loading. You may also observe errors like these in the Apache error log:
[Wed Aug 05 21:33:21.543968 2020] [mpm_prefork:error] [pid 10431] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
[Wed Aug 05 21:45:29.942556 2020] [mpm_prefork:error] [pid 13260] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
[Wed Aug 05 21:50:16.215967 2020] [mpm_prefork:error] [pid 14414] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
You can check whether Apache is experiencing a DDoS attack with this command, which shows the top 10 IP addresses from which Apache is receiving connections:
netstat -an | egrep ":80|:443" | egrep '^tcp' | grep -v LISTEN | awk '{print $5}' | egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' | sed 's/^\(.*:\)\?\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\2/' | sort | uniq -c | sort -nr | sed 's/::ffff://' | head
If you notice a large number of connections from an unrecognized IP address or IP-address range, Apache is likely experiencing a DDoS attack. You can read about how to mitigate DDoS attacks here:
Comments
0 comments
Article is closed for comments.