这种情况是被DDOS了么

有何异常？

检测到连接IP有725个，带宽打到峰值。

这种情况你应该看 web server 的 log

@Livid 请指教.. 怎么看是否有异常呢


error.log 可以看到如下类似信息
2014/01/26 11:36:12 [error] 14532#0: unexpected response for www.espam.co.kr
2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir
2014/01/26 11:36:25 [error] 14533#0: unexpected response for giahdarou.ir
2014/01/26 11:37:38 [error] 14533#0: DNS error (16: Unknown error), query id:14222
2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com
2014/01/26 11:38:22 [error] 14533#0: unexpected response for www.portlandcvb.com
2014/01/26 11:38:32 [error] 14533#0: unexpected response for www.portlandcvb.com
2014/01/26 11:38:41 [error] 14532#0: unexpected response for www.zb1213.com
2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com
2014/01/26 11:38:50 [error] 14533#0: unexpected response for steady-laughing.com
2014/01/26 11:38:55 [error] 14533#0: unexpected response for steady-laughing.com

@582033 看看 access.log

@Livid 日志没有大量增加



114.80.109.30 - - [26/Jan/2014:11:41:26 +0800] "POST /api/manyou/my.php HTTP/1.0" 200 154 "http://www.bgjsy.com/api/manyou/my.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9"
113.13.131.36 - - [26/Jan/2014:11:41:27 +0800] "POST /member.php?mod=register&inajax=1 HTTP/1.1" 200 1042 "http://www.bgjsy.com/member.php?mod=register&inajax=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
46.161.41.24 - - [26/Jan/2014:11:42:22 +0800] "GET /search.php?mod=forum&srchtxt=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE&formhash=5f7a996e&searchsubmit=true&source=hotsearch HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]"
46.161.41.24 - - [26/Jan/2014:11:42:23 +0800] "GET /search.php?mod=forum&searchid=4&orderby=lastpost&ascdesc=desc&searchsubmit=yes&kw=%E5%8C%97%E4%BA%AC%E4%BA%8C%E6%89%8B%E6%88%BF%E8%A3%85%E4%BF%AE HTTP/1.1" 200 7330 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows 95) Opera 7.03 [de]"
117.80.175.69 - - [26/Jan/2014:11:42:38 +0800] "GET / HTTP/1.1" 301 5 "http://www.bgjsy.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"

42.96.185.104 - - [26/Jan/2014:11:47:58 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:48:20 +0800] "GET /?topic=%E6%88%91%E6%83%B3%E5%95%8F%E6%8D%B7%E6%98%9F%E8%88%AA%E7%A9%BA%E9%9A%A8%E8%BA%AB%E8%A1%8C%E6%9D%8E%E7%9A%84%E9%99%90%E5%88%B6 HTTP/1.1" 200 4701 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b1) Gecko/20091014 Firefox/3.6b1 GTB5"
221.215.66.58 - - [26/Jan/2014:11:48:38 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:48:52 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
212.2.229.35 - - [26/Jan/2014:11:48:55 +0800] "CONNECT oauth.vk.com:443 HTTP/1.0" 400 172 "-" "-"
42.96.185.104 - - [26/Jan/2014:11:49:46 +0800] "GET /tongji/5.html HTTP/1.0" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
221.215.66.58 - - [26/Jan/2014:11:50:25 +0800] "GET /tongji/5.html HTTP/1.0" 404 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:50:57 +0800] "GET /tongji/5.html HTTP/1.1" 404 198 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
42.96.185.104 - - [26/Jan/2014:11:51:00 +0800] "GET /apple/iphone4renzituoguijiaotao/ HTTP/1.1" 404 142 "http://www.guokey.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.50"

会不会是爬虫

一个棒子网站？

ddos 才4m，这流量太小了， 你grep一下log。


tcpdump抓包看看

iptraf 看看

@tywtyw2002 限定的带宽就是4m,已经是峰值了..

@magicsilence
@cst4you
@tywtyw2002
@Livid

感谢楼上各位，原来是自己用的一个没加密码的http代理被盗用了，而且没有输出日志，难怪没看到快速增长的log，再次感谢。