• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

signs of a denial of service attack?

Recently a website of ours has been having some problems.  During specific period of the day the site slows to a crawl.  We believe it's a problem with the iis set up on the server.  However the company that we paid to develop this site and the apps it uses are insisting  that it's a DoS attack.  The server on that is hosting this site is also hosting about 8 others.  None of those sites seem to be having a problem, they are all just as fast and responsive as always.  The server doesn't seem to be getting overly taxed.  It's slightly above the recorded benchmarks we have for it.  We haven't noticed any drop in Internet performance, we are on a 100meg up down connection.  My boss wants to let them access our sonicwall and poke around in there to look for signs of a DoS attack.  I strongly objected to this, and said I would let them in with read only access.  My boss and the VAR objected and I was over ruled.  They say that since I've never been anywhere that has had this happen I don't know what I'm talking about.  So I was wondering, before I officially go to my boss and call them liars, if I was missing something.  I'll admit, I could absolutely be wrong, but my guts are telling me that I'm not.
  • 2
2 Solutions
btanExec ConsultantCommented:
only the logs will have strong evidence to determine if such anomalies stands. DoS need not be high surge traffic and can target protocol flaws and exploit it such that the web server or appl goes really slow or to the extend of not working. e.g. Slowloris, Slow POST, SSL THC attack etc, they are all protocol specific application (L7) DoS attack (in general HTTP GET / DNS flood) - we are not focusing on the normal network (L3) DoS which FW rightfully configured should alert and flagged attack such as SYN flood, UDP flooding, ICMP flood (smurf), Ping of Death

e.g. The Many Faces of DDoS: Variations on a Theme or Two

e.g. True DDoS Stories: SSL Connection Flood

e.g. Mitigating Nuclear DDoSer, R-U-Dead-Yet, Dirt Jumper, Keep-Dead, and Tor Hammer
btanExec ConsultantCommented:
Adding on , you can check the log for anomalies as shared below to see any fruitful return, if they bypass FW (which the latter cannot understd and stop L7 DoS attack as mentioned earlier), the DoS effect would be revealed in log...note that something it is reconnannism from the wild trying out Apachebench and keep coming from same IP and constant rate or slow rate

e.g. basic uses of Log Parser and Netmon for baselining normal traffic and for analyzing anomalous events. For instance, the TCPFlag distribution query output example showed a 4 percent SYN distribution for normal traffic periods. Doing this same data collection during an event might show otherwise... you may also want to use more specific queries to find more information about the client or clients making requests at anomalous rates


e.g. (Seeing OWASP top 10 symptoms is also good indicator of probing) Detecting Attacks on Web Applications from Log Files

From apache.org, "ApacheBench is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server". Unfortunately, this helpful tool can also be used by a hacker to bring your website down
@ http://www.gregthatcher.com/Azure/Ch2_DetectingDenialOfService.aspx
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now