DoS attack ?


i found there are 500 process for my server when i >top
Normally , its only 200+ .. i suspect someone is attacking me..

the IP is from a proxy server, and its attacking my ads system ...

help me out

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It might or might not be a DOS attack.

If the excess processes are repeated instances of some service that your system provides that accepts network connections, then it's possibly a DOS attack. Of course it could also be some malfunctionind system or (in this case) proxy server. If the excess processes aren't network apps, then it's more likely that you've got some local problem.

If you have evidence that's it's a DOS attack (intentional or otherwise), the only solution is to block the source IP(s) from connecting to your server or services. How you accomplish this depends on whether there's a router or firewall (that you control & can configure) between you and the source, or whether the IP restrictions can be imposed on the application (either via a conf file or tcpwrappers).

BTW, I haven't a clue as to what an "ads server" is.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bsherAuthor Commented:
ads server = advertising system...

how can i trace the real 'guy' behind the proxy
bsherAuthor Commented:
ads server = advertising system...

how can i trace the real 'guy' behind the proxy
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Without direct access to the proxy server, or cooperation from whoever is responsible for it, there's not any way to tell who is actually originating the traffic. At the TCP/IP level all of the data will pint back to the proxy server and no further. You have to examine the logs of the proxy to find out what "inside" address caused the traffic.

At this point, if it were me, I'd institute an IP block to reject all traffic from the proxy server just to protect my system. That's easy for me to say, since I always have something with filtering/firewall capabilities between systems I manage/use (even my home machines) and the Internet. Depending on how you are set up it might not be as easy. Then I'd find out who is the Administrative Contact (via whois) for the domain the proxy server is in, contact them and have them do something about it.
If you know the ip address the attack is coming from and you wish to deny service but without a firewall, on a Solaris system you can set up basic tcp wrappers. I don't know if this would work for any other flavour of unix. Create a file called /etc/hosts.deny and out the following line in:


Where the ip address is replaced with the ip address of the proxy server. This will deny all attempted connections from this address.

He might be able to use tcp wrappers, if his application is suitable for use with same. Whether they will work in this case depends the app and the nature of the attack. It might be that a more general solution is needed, like ipfilter (
/etc/hosts.deny should have no effect on any applications running on the machine though. It will just deny service to one particular ip address.
Nope, in the case of tcp wrappers ALL just means every service that's been "wrapped", i.e., those services listed in inetd.conf that look like:
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a

The operative part is that the daemon inetd will summon on a connect on that service is /usr/sbin/tcpd. It in turn will check the hosts.deny, and if it's okay will pass the connection to the actual daemon (in.ftpd in this case).
How does contradict what I said?
Because it doesn't "deny all attempted connections from this address". It only denies access from that machine to "wrapped" services. His "ads" service may well be a custom app listening on some UDP port for all we know (not under control of inetd and quite possibly not "wrappale".
Good point
bsherAuthor Commented:
i had blocking all the request form that proxy IP,

and now my server load is quite okay....

Thanx guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.