Options

Denial of Service Attack or lack of capacity?

rkemuntorkemunto Member Posts: 1 ■□□□□□□□□□
in Security+
Does anyone know how a web site can distinguish between lack of capacity and a denial of service attack? For example when there is an increase between real traffic following an ad.
· Share on FacebookShare on Twitter

Comments

  • Options
    dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I think it would be fairly obvious. DOS/DDOS attacks typically flood you with incoming data while legitimate users would be downloading items from your webserver. I'd just look at your webserver log. If there's a significant increase in usage, you can probably safely assume that is the cause. However, if there's little to no activity on your web server, then it's probably an attack or some other problem.

    [edit]
    I'd create a baseline of "normal" usage on your webserver then compare that with the usage after some marketing campaign is launched. Even if you're not worried about an attack/lack of resources, you may want to do that anyway to gauge the effectiveness of the campaign.
    · Share on FacebookShare on Twitter
  • Options
    seuss_ssuesseuss_ssues Member Posts: 629
    You really need to be able to check the logs on your server and networking equipment.

    Just because they are targeting a webserver does not mean that they have to hit it at port 80.

    They could be flooding your router and no packets are even getting to the server.
    They could be attacking another port on the server (this will not show up under the web server's logs but rather syslogs)

    Those are just 2 possibilities, however there are many many more.



    Additionally what was posted by rkemunto is very important. You need a baseline to compare any suspicious activity against.
    · Share on FacebookShare on Twitter
  • Options
    bmack1082bmack1082 Member Posts: 4 ■□□□□□□□□□
    Most times a DOS is attempted you will see a huge spike in traffic, with no apparent cause. However there are certain times when real traffic can inadvertently cause a DOS. In the case of a web server, your logs should be able to give you some indication of whether the traffic is real or not.

    With real traffic, you will most likely see a referrer in the logs. If you see thousands of hits coming from digg.com you'll have an indication of what your problem is. In a targeted DOS, the referrer field will most likely be null. This is just from personal analyst experience, others may have differing opinions. :D
    · Share on FacebookShare on Twitter
Sign In or Register to comment.