0

I have a staging server, which is run out of our office, that we use for showing websites currently in development to clients for approval, and for content input into a CMS. It is not under high load, only a few visits a month and there is only a handful of sites on it at a time. The server is running Ubuntu 14.04.1 LTS with Apache 2.4.7 with the ITK module.

I have started having a problem completely out of the blue where the sites on it are just completely hanging. Sometimes it times out, sometimes they just seem to spin indefinitely and sometimes the browser just says the resource cannot be accessed.

I have dug through the Apache Logs and cannot find any errors that seem remotely useful. I have checked out netstat and there is a lot of processes in there on TIME_WAIT which don't seem to be clearing themselves, with some from IP's that I do not recognise either.

If I try and restart Apache with any of the following commands, it just hangs infinitely with no error message:

service apache2 reload 
service apache2 restart 
apache2ctl restart
apache2ctl stop/start

Although I am fairly comfortable with the command line and Ubuntu, I am no expert by any means. Without any error messages, I do not really know what to try next.

Can anyone offer any advice?

sebix
  • 4,313
  • 2
  • 29
  • 47
David Essery
  • 3
  • 1

1 Answers1

0

I'm sorry but I cannot add comments to questions yet. Your case sounds a lot like a SlowLoris attack, but I do not want to make any sweeping statements off the bat. Have a look at this topic, seems to be very similar to your issue.

If it turns out to be an attack, just wanna leave this here for you to reference.

Community
  • 1
ngn
  • 333
  • 1
  • 10
  • Hi, thanks for your response!! I have to admit, from reading up on it, it all sounds very similar although I have checked to see how many connections their are active in netstat and although there is 564, 55% of them are from our office. My limited understanding is that connections in netstat are supposed to drop off after a few minutes? No one has been looking at the server for at least an hour now but all of those connections are still active for some reason. Thanks again!! – David Essery Jul 16 '15 at 13:13
  • The way SlowLoris attacks work, you do not need too many connections or bandwidth to bring a webserver down. I have seen actual cases of hackers taking down multiple webservers using a single phone with a 3G connection. This is quite different from the way normal denial of service attacks work. I remember going through a very good reference article when SlowLoris attacks were rampant, but I cannot find it again. I hope [this](https://blogs.akamai.com/2013/09/slow-dos-on-the-rise.html) helps – ngn Jul 16 '15 at 13:23
  • With some further investigation, I believe @ngn was correct NGN. To stop it I have installed mod_qos into apache and added the following to the IP Tables and it seems to of done the trick: `iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j DROP` – David Essery Jul 17 '15 at 10:43