Debian security: lots of connections on port 80
I have a debian server (kernel: 2.6.32-5-amd64).
I normally run a jetty server on it, but lately it started getting tons of connections to it. It shouldn't get all this traffic, since its a pretty unknown server.
Running:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Outputs hundres of IP's. I tried adding them all to iptables drop list, but new IP's keeps showing up.
I then went ahead and stopped Jetty, and all connections where gone. To make sure this was not a bug/security hole in Jetty, I fired up apache2, and all the connections started right away.
I looks like people are using it as a proxy server, using urlsnarf its showing tons of outgoing requests to Forums, ad sites, and you name it. Its doing so many request, that the CPU is jumping up and down, and eventually the server ends up crashing.
Does anyone know how they can do this? It seams like whatever server is listing on port 80, this is immediately begins.
Is this a DDOS attack? How are people using my server as proxy, only with software listing on port 80?
I have hostsdeny installed and deflate (http://deflate.medialayer.com/), but still the problem persists.
If you suspect or have any idea how to secure and fix this problem, I would be very thankful.
If I need to provide more data, let me know.
Thanks in advanced
I have a debian server (kernel: 2.6.32-5-amd64).
I normally run a jetty server on it, but lately it started getting tons of connections to it. It shouldn't get all this traffic, since its a pretty unknown server.
Running:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Outputs hundres of IP's. I tried adding them all to iptables drop list, but new IP's keeps showing up.
I then went ahead and stopped Jetty, and all connections where gone. To make sure this was not a bug/security hole in Jetty, I fired up apache2, and all the connections started right away.
I looks like people are using it as a proxy server, using urlsnarf its showing tons of outgoing requests to Forums, ad sites, and you name it. Its doing so many request, that the CPU is jumping up and down, and eventually the server ends up crashing.
Does anyone know how they can do this? It seams like whatever server is listing on port 80, this is immediately begins.
Is this a DDOS attack? How are people using my server as proxy, only with software listing on port 80?
I have hostsdeny installed and deflate (http://deflate.medialayer.com/), but still the problem persists.
If you suspect or have any idea how to secure and fix this problem, I would be very thankful.
If I need to provide more data, let me know.
Thanks in advanced
No comments:
Post a Comment