On 22/04/13 15:34, Stephen Villano wrote:
First, has there been any configuration changes
shortly before the
problem began? The first rule is "look for stupidity", as in an
error in configuration causing a self-DOS. Many of us have done
that to ourselves, to our embarrassment. If not, go with Tim's
suggestion and also look at squid's logs. Are you getting requests,
but no full session (syn flood)?
I'm on your site periodically. It's normally smoothly running,
since you went with Linode. The site is overall well behaved.
However, it is one that could easily become the target of a script
kiddie. So, do you have SYN cookies turned on?
Most kinds of DoS attack, including SYN flooding, can be seen in
Ganglia as a sharp increase in inbound network traffic, especially as
measured by packet count (pkts_in).
SYN cookies are definitely a good idea, regardless of whether an
attack is underway. They are enabled by default in Ubuntu.
-- Tim Starling