一台WEB服务器,有大量异常ESTABLISHED连接,估计是某种攻击,请大家帮忙分析一下

jefferey

UID: 37703
帖子: 153
积分: 351
在线时间: 1 天 8 小时

1^# jefferey 发表于 2008-04-11 17:47

一台WEB服务器,有大量异常ESTABLISHED连接,估计是某种攻击,请大家帮忙分析一下

全是类似如下行, 一般有1W多个80端口连接, 经查squid日志, 不应该是由客户端直接发起的HTTP请求,请问会是什么类型的攻击?
tcp       0  40000 111.111.111.111:80          116.116.35.7:2208          ESTABLISHED 12438/(squid)
tcp       0  59968 111.111.111.111:80          60.215.85.197:2123       ESTABLISHED 12438/(squid)
tcp       0 7619 111.111.111.111:80          123.8.146.10:36195       ESTABLISHED 12438/(squid)
tcp       0  59968 111.111.111.111:80          60.215.85.197:2123       ESTABLISHED 12438/(squid)
tcp       0 7619 111.111.111.111:80          123.8.146.10:36195       ESTABLISHED 12438/(squid)
tcp       0  45312 111.111.111.111:80          124.67.50.46:2220          ESTABLISHED 12438/(squid)
tcp       0  19136 111.111.111.111:80          219.159.26.224:1897       ESTABLISHED 12438/(squid)
tcp       0    0 111.111.111.111:80          222.247.148.252:2451       ESTABLISHED 12438/(squid)
tcp       0 9627 111.111.111.111:80          220.207.248.176:49549    ESTABLISHED 12438/(squid)
tcp       0  44224 111.111.111.111:80          125.32.211.49:1335       ESTABLISHED 12438/(squid)
tcp       0 9627 111.111.111.111:80          220.207.248.176:49549    ESTABLISHED 12438/(squid)
tcp       0  44224 111.111.111.111:80          125.32.211.49:1335       ESTABLISHED 12438/(squid)
tcp       0  32768 111.111.111.111:80          221.7.80.250:1445          ESTABLISHED 12438/(squid)
tcp       0    0 111.111.111.111:80          218.86.189.109:3440       ESTABLISHED 12438/(squid)
tcp       0  13280 111.111.111.111:80          123.6.98.36:49321          ESTABLISHED -
tcp       0 8291 111.111.111.111:80          124.67.229.25:1366       ESTABLISHED 12438/(squid)
tcp       0 8611 111.111.111.111:80          121.24.97.223:49585       ESTABLISHED 12438/(squid)
tcp       0 8291 111.111.111.111:80          124.67.229.25:1366       ESTABLISHED 12438/(squid)
tcp       0 8611 111.111.111.111:80          121.24.97.223:49585       ESTABLISHED 12438/(squid)
tcp       0  21120 111.111.111.111:80          222.43.131.97:1573       ESTABLISHED 12438/(squid)

alvis

UID: 1041
帖子: 176
积分: 404
在线时间: 1 天 18 小时

2^# alvis 发表于 2008-04-16 18:35

QUOTE:

原帖由 jefferey 于 2008-4-11 17:47 发表
全是类似如下行, 一般有1W多个80端口连接, 经查squid日志, 不应该是由客户端直接发起的HTTP请求,请问会是什么类型的攻击?
tcp 0 40000 111.111.111.111:80 116.116.35.7:2208 ES ...

感觉像是 netstat got duplicate tcp line 了，你的 OS 是什么发布版，netstat 和 kernel 的版本是？