My server is under attack!
When I use netstat -anp | grep :80
I get the following listing:
tcp 0 0 162.167.98.11:80 5.189.156.224:58211 SYN_RECV -
tcp 0 0 162.167.98.11:80 5.189.156.224:39608 SYN_RECV -
tcp 0 0 162.167.98.11:80 5.189.156.224:33261 SYN_RECV -
tcp 0 0 162.167.98.11:80 5.189.156.224:56951 SYN_RECV -
There are tens of lines like this.
Please help me to understand this listing and how can I protect the server against this IP that is making a huge amount of requests. I'm using fail2ban that is configured against DDOS attacks but it looks that I'm missing something.
The server is a virtual machine running Ubuntu 12.04
Fail2ban would react only to clients that generate some kind of error.
This might by a Slowloris attack. It works by opening a connection and trying to keep it open as long as possible by constantly adding something to the request. Then additional such connections are being opened and kept open.
So the possible solutions are about limiting the open connections per client.
This can be done with iptables directly as mentioned here or by using appropriate apache modules (if this is your webserver anyway).
One explicitly being designed for this purpose is mod_antiloris, another one that is more configurable is mod_qos.