Is this DDOS attack?
Dec 12 01:53:40 ss04 kernel: NET: 660 messages suppressed.
Dec 12 01:53:45 ss04 kernel: NET: 721 messages suppressed.
Dec 12 01:53:50 ss04 kernel: NET: 691 messages suppressed.
Dec 12 01:53:55 ss04 kernel: NET: 651 messages suppressed.
.....
and when we run netstat -n, it reported:
tcp 0 0 203.98.164.152:80 157.71.48.50:36104 SYN_RECV
tcp 0 0 203.98.164.152:80 159.235.73.72:338 SYN_RECV
tcp 0 0 203.98.164.152:80 159.69.209.65:22740 SYN_RECV
tcp 0 0 203.98.164.152:80 222.150.165.88:64791 SYN_RECV
tcp 0 0 203.98.164.152:80 219.192.51.33:56695 SYN_RECV
tcp 0 0 203.98.164.152:80 8.63.216.47:57220 SYN_RECV
tcp 0 0 203.98.164.152:80 83.1.129.42:43461 SYN_RECV
tcp 0 0 203.98.164.152:80 33.106.107.23:51050 SYN_RECV
tcp 0 0 203.98.164.152:80 169.244.51.101:22173 SYN_RECV
tcp 0 0 203.98.164.152:80 44.18.70.15:65124 SYN_RECV
tcp 0 0 203.98.164.152:80 162.8.104.37:5091 SYN_RECV
tcp 0 0 203.98.164.152:80 60.74.233.60:10398 SYN_RECV
tcp 0 0 203.98.164.152:80 12.68.108.10:53682 SYN_RECV
tcp 0 0 203.98.164.152:80 202.98.106.23:50549 SYN_RECV
tcp 0 0 203.98.164.152:80 12.207.145.73:31048 SYN_RECV
tcp 0 0 203.98.164.152:80 85.32.105.72:37464 SYN_RECV
tcp 0 0 203.98.164.152:80 47.82.53.39:5558 SYN_RECV
tcp 0 0 203.98.164.152:80 24.174.157.15:61778 SYN_RECV
...... (up to 1500 lines like this)
When we only allow a few IPs to access the server port 80, all websites work normal. Seems the problem doesn't come from the server itself.
Server details:
P4 2.8G CPU, 2GB RAM, Apache 1.3.31, directadmin, CentOS 3.3 with latest update.
We appreciate for any recommendations, thanks
