Re: [tlug] please ignore my previous mail regarding httpd strangeness

Date: Fri, 06 Apr 2007 00:23:33 +0900
From: scott <scott@example.com>
Subject: Re: [tlug] please ignore my previous mail regarding httpd strangeness
References: <1175785577.3569.15.camel@example.com>

Hi again everybody,

I found the cause of this httpd hit after a bit more logfile analysis,
so please disregard my previous mail. 

Funny how everytime I post to the TLUG list, I seem to work out the
issue on my own almost right after. Maybe I should just post to myself
and go from there ;-)

Doh!
Scott VanDusen
Tokyo

On Fri, 2007-04-06 at 00:06 +0900, scott wrote:
> Hi everyone,
> 
> The last couple of days I've noticed some strange behavior with my
> server at home- extreme network latency all of a sudden. Ping time to
> google is usually 208 ms but during this phenomena it shoots up to
> over 2000 ms. To troubleshoot the latest event, I did a the following
> (edited for brevity):
> 
> [root@example.com scott]# netstat -tuapn
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address               Foreign Address
> State       PID/Program name
> tcp        0  81200 219.114.58.46:80            58.138.12.186:50661
> ESTABLISHED 24628/httpd
> tcp        0  70000 219.114.58.46:80            58.138.12.186:50660
> ESTABLISHED 16617/httpd
> tcp        0  79800 219.114.58.46:80            58.138.12.186:50662
> ESTABLISHED 16616/httpd
> 
> [root@example.com sbin]# tcpdump -i ppp0
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96
> bytes
> 23:40:58.909627 IP 186.12.138.58.dy.bbexcite.jp.50660 >
> slackisland.org.http: . ack 805046405 win 64400 <nop,nop,timestamp
> 662900488 523132041>
> 23:40:58.909678 IP slackisland.org.http >
> 186.12.138.58.dy.bbexcite.jp.50660: . 61601:63001(1400) ack 0 win 1402
> <nop,nop,timestamp 523134165 662900488>
> 
> So it looks like apache is taking a hit- dumping a lot of data to this
> guest from bbexcite. The same thing happened yesterday but it was to a
> host on OCN  p7164-ipad412marunouchi.tokyo.ocn.ne.jp. I checked
> webalizer and these hosts had shown up:
> 
> Top 10 of 135 Total Sites By KBytes 
> # Hits Files KBytes Visits Hostname 
> 1 4 0.19% 4 0.25% 194038 17.44% 0 0.00% p7164-
> ipad412marunouchi.tokyo.ocn.ne.jp 
> 2 3 0.14% 3 0.18% 159350 14.32% 0 0.00% 186.12.138.58.dy.bbexcite.jp 
> 3 3 0.14% 3 0.18% 159350 14.32% 0 0.00% 222.146.199.164
> 
> So it looks like they are not "visiting", but they are downloading a
> lot of data. I am wondering if I should be concerned? I'm already
> pretty paranoid after getting my system broken into last year. If it
> isn't anything to worry about, I wonder if I can take off my tin hat
> and just throttle this kind of stuff to prevent my network from
> becoming so slow. 
> 
> Anybody else experiencing anything like this lately?
> 
> Thanks in advance,
> Scott VanDusen
> Tokyo
> 
> -- 
> To unsubscribe from this mailing list, 
> please see the instructions at http://www.tlug.jp/list.html
> 
> Please visit our sponsor at http://www.primustel.co.jp/tlug/

Follow-Ups:
- Re: [tlug] please ignore my previous mail regarding httpd strangeness
  - From: Keith Bawden

References:
- [tlug] httpd strangeness
  - From: scott

Prev by Date: [tlug] httpd strangeness
Next by Date: Re: [tlug] please ignore my previous mail regarding httpd strangeness
Previous by thread: [tlug] httpd strangeness
Next by thread: Re: [tlug] please ignore my previous mail regarding httpd strangeness
Index(es):
- Date
- Thread

Home | Main Index | Thread Index