Block an IP to Speed up Server During DOS Attack

If your Apache server is slow (or if you see tons of “? ..reading..” on Apache Status in WHM) there is a chance that your http server is under a Denial of Service (DOS) attack.
You can check this out by:

1. Log on your server as root
2. Type the following command

netstat -plan|grep :80|awk {’print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

You will see a list of IP addresses with the number of connections each has to your server, like this:

1 127.0.0.1
3 64.34.161.32…. etc.

1. If any have more then 50-100 connections, there is a chance that this is your attacker. Unfortunately, this most likely will not stop a Distributed Denial of Service attack (DDOS), but if it is one IP this should do the trick. Go ahead and block this IP using APF if you have it installed.

apf -d IP

Good luck!

P.S. One way I have been attacked before is via traffic exchanges. If you see a lot of referring URLs from a traffic exchange and requests flow in from multiple IPs, talk to your host!