Hi, one of our servers is facing a DoS attack. Its basically a SYN attack towards port 80. Though I've blocked it through iptables but still lots of traffic towards that IP. Can't nullroute that IP because that IP is sitting for many domains and is used for named based virtual hosting. My question is there anyway to detect for which site the actual traffic is coming for? I know most of the DoS attacks are done on dest. IP but there *should* be some garbage http/1.1 requests.
Is it possible through Apache to make a combine access log for all the websites running there? All sites have their unique virtual hosts defined. This will help me track down for which domain the attack is being carried for.
