Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: netstat - possible reasons for high IP count ???
Special Forums IP Networking netstat - possible reasons for high IP count ??? Post 302260039 by PWSwebmaster on Wednesday 19th of November 2008 12:59:07 PM
Old 11-19-2008
It's been different files and scripts, but mostly just files, being accessed at a high count of one IP like that.

Here's an example from log files for one case:

Quote:
60.50.105.33 - - [18/Nov/2008:08:45:04 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 91022 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:06 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 227228 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:13 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 115944 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:14 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 157814 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:17 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 156708 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:17 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 203672 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
60.50.105.33 - - [18/Nov/2008:08:45:17 -0500] "GET /uploads/2476/2008_TEB_-11-_Alban_Preaubert_FS.avi HTTP/1.1" 206 198600 "http://www.skatingvideoclips.com/uploads/2476" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Netstat showed that IP many times, so it wasn't their computer downloading a video a bit at a time. It looked more like they were downloading the same video a high number of times at once. There are about 400 videos there, so it wasn't 50 different people with the same OS and same gateway downloading the same video at the same time.

That IP is from Malaysia.
The host is: 33.105.50.60.klj03-home.tm.net.my and is probably from MY (MALAYSIA)

Most of the high count IPs have been from Malaysia, Taiwan, Poland, Japan and China.

When the server first started having high load trouble, I found the high number of connections to one file and renamed the file, then minutes later the same IP would have a high number of connections to a different file, then I blocked the IP from that site and minutes later the same file was being accessed a high number of times from a different IP. I wrote a little script to block IPs from that site automatically, then the IP would just keep changing and show as being from different countries. The script would just block access to the one site which meant giving a 403 page each time. Next thing I knew, the volume was climbing and they were just getting the 403 page 100 times a second. Definitely looked to me like someone was trying to crash the server, so I had to look into blocking them from the whole server.

Since I started running my auto iptables script a week ago, the server load has pretty much quit spiking.

The odds of many people from one company on the same router going to a site at the same time is quite slim, but later on I can adjust my script to check the log files to see if the IPs are all accessing the same file and using the same browser which would help prevent them from being blocked.
 

7 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Sun: High kernel usage & very high load averages

Hi, I am seeing very high kernel usage and very high load averages on my system (Although we are not loading much data to our database). Here is the output of top...does anyone know what i should be looking at? Thanks, Lorraine last pid: 13144; load averages: 22.32, 19.81, 16.78 ... (4 Replies)
Discussion started by: lorrainenineill
4 Replies

2. Solaris

To find out the reasons it crash

What are the steps to find out the reasons it crash in the solaris machine (3 Replies)
Discussion started by: sandeepkv
3 Replies

3. Shell Programming and Scripting

cron job not working for some reasons

I set up a new cron job. I have set cron jobs many times in the past and never faced issues. For some reasons my new cron job is not working.This is how my cron job looks like. plz help me out guys. 3,8,13,18,23,28,33,38,43,48,53,58 * * * * /siebel/sblp900/home/FSMTaskChk/script... (14 Replies)
Discussion started by: ragha81
14 Replies

4. Ubuntu

Kubuntu on (certain) Lenovo laptops not possible - reasons?

Hi. I've used the Wubi install of Ubuntu and Kubuntu on my Windows XP machine for close to half a year now. My brother has let me know of a program where he works by which they're getting rid of (with support negated) several Lenovo laptops, on which, he also informs me, the K 'flavor' of Ubuntu... (1 Reply)
Discussion started by: SilversleevesX
1 Replies

5. Red Hat

apache high cpu load on high traffic

i have a Intel Quad Core Xeon X3440 (4 x 2.53GHz, 8MB Cache, Hyper Threaded) with 16gig and 1tb harddrive with a 1gb port and my apache is causing my cpu to go up to 100% on all four cores heres my http.config <IfModule prefork.c> StartServers 10 MinSpareServers 10 MaxSpareServers 15... (4 Replies)
Discussion started by: awww
4 Replies

6. Solaris

Reasons for NOT using LDOMs? reliability?

Dear Solaris Experts, We are upgrading from sun4u to T4 systems and one proposal is to use LDOMs and also zones within LDOMs. Someone advised using only zones and not LDOMs because the new machines have fewer chips and if a chip or a core fails then it doesn't impact the zones, but impacts... (3 Replies)
Discussion started by: User121
3 Replies

7. Shell Programming and Scripting

Count no of netstat states

netstat | awk '/server/ {for(i=1;i<2;i++) {getline;print}' Output: ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED TIME_WAIT TIME_WAIT From the above command I'm getting all the states. I want to count the states and write to a file, like "Count of ESTABLISHED... (6 Replies)
Discussion started by: Roozo
6 Replies

LEARN ABOUT DEBIAN

timetrans

TIMETRANS(1p)						User Contributed Perl Documentation					     TIMETRANS(1p)

NAME

       timetrans - Converts time into time

SYNOPSIS

	 timetrans [units-options] [-count]

DESCRIPTION

       timetrans converts time from one type of unit to another.  If any of the units options are specified, then timetrans will convert those
       time units into the number of seconds to which they add up.  If given the count option, timetrans will convert that number of seconds into
       the appropriate number of weeks, days, hours, minutes, and seconds.  The converted result is printed out.  Units options cannot be
       specified in the same execution as the count option, and vice versa.

       timetrans is intended for use with DNSSEC-Tools, for calculating a zone's expiration time.

OPTIONS

   Units Options
       The converted value of each unit is totaled and a single result printed.

       -seconds seconds
	   Count of seconds to convert to seconds.

       -minutes minutes
	   Count of minutes to convert to seconds.

       -hours hours
	   Count of hours to convert to seconds.

       -days days
	   Count of days to convert to seconds.

       -weeks weeks
	   Count of weeks to convert to seconds.

   Count Option
       The specified seconds count is converted to the appropriate number of weeks, days, hours, minutes, and seconds.

       -count seconds
	   Count of seconds to convert to the appropriate set of units.

   Other Options
       timetrans has the following miscellaneous options.

       -Version
	   Displays the version information for timetrans and the DNSSEC-Tools package.

EXAMPLES

       Example 1:  Converting 5 days into seconds

	   $(42)> timetrans -days 5
	   432000

       Example 2:  Converting 2 weeks into seconds

	   $(43)> timetrans -w 2
	   1209600

       Example 3:  Converting 8 days and 8 hours into seconds

	   $(44)> timetrans -d 8 -hours 8
	   720000

       Example 4:  Converting 1 week, 1 day, and 8 hours into seconds

	   $(46)> timetrans -w 1 -days 1 -h 8
	   720000

       Example 5:  Converting 14 weeks, 4 days, 21 hours, 8 minutes, and 8 seconds into seconds

	   $(47)> timetrans -w 14 -d 4 -h 21 -m 8 -s 8
	   8888888

       Example 6:  Converting 720000 seconds into time units

	   $(48)> timetrans -c 720000
	   1 week, 1 day, 8 hours

       Example 7:  Converting 1814421 seconds into time units

	   $(49)> timetrans -c 1814421
	   3 weeks, 21 seconds

       Example 8:  Converting 8888888 seconds into time units

	   $(50)> timetrans -c 8888888
	   14 weeks, 4 days, 21 hours, 8 minutes, 8 seconds

COPYRIGHT

       Copyright 2004-2012 SPARTA, Inc.  All rights reserved.  See the COPYING file included with the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       zonesigner(8)

       Net::DNS::SEC::Tools::timetrans.pm(3)

perl v5.14.2							    2012-06-21							     TIMETRANS(1p)
All times are GMT -4. The time now is 05:24 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy