Is this an attack or something wrong with my own server?

[SteveYin]

my apache can not start, if I start it, the net traffic keep at 2Mbyte/s, my server is small, not possible to have so many visitor.

the normal traffic of my server is about 100-200K/s, so I try to use wireshark to capture something to see. and I found this:

click to open the picture: http://www.zschina.net.cn/Snap1.png

this capture is done just after I start apache, and it runs 2 seconds, Then I got about 2000 packets captured. among these packets, 99% are these continuation or non-HTTP traffic. what's the problem?

Some one please help me
_________________
Steve Yin

[bunder]

maybe someone is trying to mirror your webserver, not sure. some of those ip's you listed whois back to chinese telecoms... if they become bothersome, i suppose you could always ip block them, or send an abuse@ email.

cheers
_________________

[SteveYin]

yes, I'm from China, my server is also in China,

and I can not block these ips, they change very frequently, what can i do?

ps. these actions blocks my normal traffic
_________________
Steve Yin

[NeddySeagoon]

SteveYin,

Look in your /var/log/apache2 log dir to see who accessed what and when and with what command.

I expect you have someone sending shell code to try to find a buffer overflow exploit, or attemting to fetch pages you don't have.
Try running

[sschlueter]

Doesn't look like an attack to me.

BTW: Wireshark is not the best option to get an overview over your Apache traffic and the Apache response codes. I recommend apachetop.

[SteveYin]

OK, now I resolved this problem, some one posted some images to many popular forum with is on my server,

so, these images cost so many wasted traffic on my server, I have modified the configuration of apache, to check the referer of every request, although it won't absolutely solve my problem. but my traffic is back to normal now.

Thanks everyone here
_________________
Steve Yin