# Is this an attack?

## grant123

My remote server has been experiencing very short periods of http downtime lately according to my monitors.  I used munin to investigate the most recent one but I'm not sure what to make of my findings.  There is a spike in several charts that correspond to the downtime.  The spikes are in:

TCP Slow Start retransmissions

TCP Retransmits lost

TCP Congestion avoidance algorithm (Reno) Partial ACK recoveries

TCP Other timeouts

ICMP Unreachables (packets in)

Any ideas?

----------

## szatox

maybe attack, maybe low quality link, maybe something else. When I see someone trying to guess my root password there is no doubt, but here I'd start with sniffing incoming packets or logging anomalies by services you think are being attacked. Check out what's going on on the wire and you will most likely know. Perhaps it's just your connection was saturated.

----------

## grant123

Is there a good way to find out if my link fills up?

----------

## thegeezer

it does look more like quality of the link is low though saturation woudl do it too.

short of running speedtest.net at your remote server you might want to try running iperf from your server to a couple of locations. the server's link might be fine but the remote ISP might be saturated on a specific route

----------

## grant123

I fixed a problem with the fastcgi PHP interpreter getting bogged down and that seemed to fix this.

----------

