signs of a denial of service attack?

Recently a website of ours has been having some problems.  During specific period of the day the site slows to a crawl.  We believe it's a problem with the iis set up on the server.  However the company that we paid to develop this site and the apps it uses are insisting  that it's a DoS attack.  The server on that is hosting this site is also hosting about 8 others.  None of those sites seem to be having a problem, they are all just as fast and responsive as always.  The server doesn't seem to be getting overly taxed.  It's slightly above the recorded benchmarks we have for it.  We haven't noticed any drop in Internet performance, we are on a 100meg up down connection.  My boss wants to let them access our sonicwall and poke around in there to look for signs of a DoS attack.  I strongly objected to this, and said I would let them in with read only access.  My boss and the VAR objected and I was over ruled.  They say that since I've never been anywhere that has had this happen I don't know what I'm talking about.  So I was wondering, before I officially go to my boss and call them liars, if I was missing something.  I'll admit, I could absolutely be wrong, but my guts are telling me that I'm not.
LVL 1
adml_shakeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
only the logs will have strong evidence to determine if such anomalies stands. DoS need not be high surge traffic and can target protocol flaws and exploit it such that the web server or appl goes really slow or to the extend of not working. e.g. Slowloris, Slow POST, SSL THC attack etc, they are all protocol specific application (L7) DoS attack (in general HTTP GET / DNS flood) - we are not focusing on the normal network (L3) DoS which FW rightfully configured should alert and flagged attack such as SYN flood, UDP flooding, ICMP flood (smurf), Ping of Death

e.g. The Many Faces of DDoS: Variations on a Theme or Two
https://devcentral.f5.com/articles/the-many-faces-of-ddos-variations-on-a-theme-or-two

e.g. True DDoS Stories: SSL Connection Flood
https://devcentral.f5.com/articles/true-ddos-stories-ssl-connection-flood

e.g. Mitigating Nuclear DDoSer, R-U-Dead-Yet, Dirt Jumper, Keep-Dead, and Tor Hammer
https://devcentral.f5.com/articles/mitigating-nuclear-ddoser-r-u-dead-yet-dirt-jumper-keep-dead-and-tor-hammer-with-f5
0
btanExec ConsultantCommented:
Adding on , you can check the log for anomalies as shared below to see any fruitful return, if they bypass FW (which the latter cannot understd and stop L7 DoS attack as mentioned earlier), the DoS effect would be revealed in log...note that something it is reconnannism from the wild trying out Apachebench and keep coming from same IP and constant rate or slow rate

e.g. basic uses of Log Parser and Netmon for baselining normal traffic and for analyzing anomalous events. For instance, the TCPFlag distribution query output example showed a 4 percent SYN distribution for normal traffic periods. Doing this same data collection during an event might show otherwise... you may also want to use more specific queries to find more information about the client or clients making requests at anomalous rates

http://technet.microsoft.com/en-sg/magazine/2006.03.insidemscom(en-us).aspx

e.g. (Seeing OWASP top 10 symptoms is also good indicator of probing) Detecting Attacks on Web Applications from Log Files
http://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-web-applications-log-files-2074

From apache.org, "ApacheBench is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server". Unfortunately, this helpful tool can also be used by a hacker to bring your website down
@ http://www.gregthatcher.com/Azure/Ch2_DetectingDenialOfService.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.