3

When I was checking stats in SSH terminal for my VPS, I noticed that netstat and access log gives different results.

When I used:

netstat -anp

I saw that one attacker having 32 concurrent connections to port 80 with 123.217.100.19 ip address.

Meanwhile in access log (/var/www/vhosts/domain.com/statistics/logs/access_log), there were log entries to only 123.217.100.199 (there is an additional 9 at the end) ip address. No specific 123.217.100.19 IP address was available in access log.

What is the reason of such kind of ip difference between netstat and access log?

Giacomo1968
  • 3,542
  • 27
  • 38
NecNecco
  • 221
  • 2
  • 9

2 Answers2

3

Easy. netstat is a command line tool to show you live/real network traffic happening in real-time. But when you say access_log and point to the full path like this:

/var/www/vhosts/domain.com/statistics/logs/access_log

That log is generated by the web service on the server. My best guess is it would be Apache generating those logs. And the reason you are seeing a log with less data in access_log versus Apache comes directly from Apache’s ability to handle those connections.

In Apache there is an option to keep a connection alive if it’s coming from the same browser on the same IP address I believe. So if you are setting 32 items connecting to port 80, it could be “keep alive” logic is in place.

Or—more likely—the attack is a classic DDoS attack where a flood of connection requests are made, but they are dropped before the connection even happens. This works in a DDoS sense since Apache needs to be able to respond to those requests, but if the attackers flood of connections “hangs up” before the connections are made… Then no connections would be logged.

So—using your sample data as an example—9 connections are actually being made to Apache. But the remaining 23 requests are just dropping before Apache can do anything.

Giacomo1968
  • 3,542
  • 27
  • 38
2

Yes, there's a crucial difference.

On netstat, you see raw connection data. Does not matter if the upper protocol handshake is performed or not, if a SYN packet comes by, netstat will log it.

On the other hand, the access_log will only log connections that finish the HTTP handshake. If someone establishes a connection but don't send any data, the access_log will never see it.

Run a tail -f access_log and telnet to your server on port 80. After the connection is established, run a netstat, and close the telnet connection without sending anything. You will see your IP appearing on netstat, but not on the access_log.

ThoriumBR
  • 5,302
  • 2
  • 24
  • 34
  • I see but when I blocked `123.217.100.199` through firewall, `123.217.100.19` also perished from netstat. Any comment on this please? – NecNecco Sep 01 '14 at 21:37