Lots of connections on port 80

I have a Debian server (kernel: 2.6.32-5-amd64).

I normally run a jetty server on it, but lately, it has started getting tons of connections to it. It shouldn't get all this traffic, since it's a pretty unknown server.

Running:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Outputs hundreds of IPs. I tried adding them all to iptables drop list, but new IPs keep showing up.

I then went ahead and stopped Jetty, and all connections were gone. To make sure this was not a bug/security hole in Jetty, I fired up apache2, and all the connections started right away.

It looks like people are using it as a proxy server, using urlsnarf it's showing tons of outgoing requests to Forums, ad sites, and you name it. It's doing so many requests, that the CPU is jumping up and down, and eventually, the server ends up crashing.

Does anyone know how they can do this? It seems like whatever server is listing on port 80, this is immediately beginning.

Is this a DDOS attack? How are people using my server as a proxy, only with software listing on port 80?

I have hostsdeny installed and deflate (http://deflate.medialayer.com/), but still, the problem persists.


This is not a DDOS attack if there is real traffic going on through your server.

What you are describing shouldn't be possible, but hackers may still have found a way. If your server was compromised, then it is much more likely that the attack came from inside your network via another infected computer.

I would suggest to reformat this server's disk and reinstall all software. Ensure that it is firewalled from both the external and internal networks.

You should also verify all the computers in your internal network that have access of any kind to this server, and in the future restrict more any such access.

Follow the the articles below for Apache (more info is surely to be found elsewhere):

Security Tips - Apache HTTP Server
20 ways to Secure your Apache Configuration

There are many articles for hardening Linux, so here are just a couple :

20 Linux Server Hardening Security Tips
Red Hat Linux Server Hardening Checklist


It's not really on topic but I would advise updating your kernel as 2.6.32-5 is vulnerable to a local root explot.

But your server could of been compromised already and being used as a proxy server for someone, if you're hosting a website have a look through it see if they are any suspicious looking pages.

Also install anti-rootkit software just incase.

Typically DDoS attacks would just show up as SYN requests if you looked at traffic through a program such as wireshark