DDOS attack: Established connections on port 80 - what to do ?
netstat -na |grep :80 |grep ESTA
...I am getting like 250 established connections to http...
If I type:
service httpd fullstatus
Then I see 250 lines that say "..reading.." and nothing else. When I try to strace the process nothing happens.
The server breaks down or reaches the max amount of http processes defined in Apache.conf.
Now I could use iptables to block it - the problem is that the attack is comming from thousands of different IP addresses. For now I did change httpd.conf so that processes time out within 5 seconds. This way the server does not go down. However, I`ve had it like that for two weeks and the ... nice people who do it won`t stop no matter what.
I also tried to block the attack using APF. The result was that innocent IPs were blocked including my own so I had to reconnect with a different IP to get access and I did disable APF's antidos feature.
Any ideas ??
