Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
CompTIA
Security+
Denial of Service Attack or lack of capacity?
rkemunto
Does anyone know how a web site can distinguish between lack of capacity and a denial of service attack? For example when there is an increase between real traffic following an ad.
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
dynamik
I think it would be fairly obvious. DOS/DDOS attacks typically flood you with incoming data while legitimate users would be downloading items from your webserver. I'd just look at your webserver log. If there's a significant increase in usage, you can probably safely assume that is the cause. However, if there's little to no activity on your web server, then it's probably an attack or some other problem.
[edit]
I'd create a baseline of "normal" usage on your webserver then compare that with the usage after some marketing campaign is launched. Even if you're not worried about an attack/lack of resources, you may want to do that anyway to gauge the effectiveness of the campaign.
seuss_ssues
You really need to be able to check the logs on your server and networking equipment.
Just because they are targeting a webserver does not mean that they have to hit it at port 80.
They could be flooding your router and no packets are even getting to the server.
They could be attacking another port on the server (this will not show up under the web server's logs but rather syslogs)
Those are just 2 possibilities, however there are many many more.
Additionally what was posted by rkemunto is very important. You need a baseline to compare any suspicious activity against.
bmack1082
Most times a DOS is attempted you will see a huge spike in traffic, with no apparent cause. However there are certain times when real traffic can inadvertently cause a DOS. In the case of a web server, your logs should be able to give you some indication of whether the traffic is real or not.
With real traffic, you will most likely see a referrer in the logs. If you see thousands of hits coming from digg.com you'll have an indication of what your problem is. In a targeted DOS, the referrer field will most likely be null. This is just from personal analyst experience, others may have differing opinions.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
