So apparently the sites
where in actual use, hence the query for which site was under attack. Also, it
turned out that the traffic spike I saw might not have been an actual
SYN attack, but instead
It seems that the company that owns the sites have a domain that has nothing but advertising banners for gambling sites (since that's what they do) for which they bought advertising space on a bunch of porn sites (I'm sure on the theory of “in for a penny, in for a pound” but in this case, “in for a vice, in for a whole slew of vices”) and it caught our server unaware.
It's not like the server can't handle the load, but that Apache wasn't configured for such a spike in traffic. Now that I've tweaked the operating system (Linux):
sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.tcp_max_syn_backlog=2048 sysctl -w net.ipv4.tcp_syn_retries=2
But also tweaked
in the Apache configuration (doubled each except for
KeepAliveTimeout which I decreased) the server is having no
problem keeping up with the traffice (I also copied the site to the second
server and round-robinning requests between the two).