Did my site get a DoS attack?
-
How do I tell whether my site was hit by a denial of service attack? [Server logs inside.] Background: My friend and I run the website for a campus political party at our university. Elections started at midnight last night. We heard that the other guys were planning to try a DoS on our site, http://www.michiganprogressiveparty.com. Here are the logs: http://joeygolden.com/stats1.pdf http://joeygolden.com/stats2.pdf We think that someone was requesting the same image (mpptop.gif) a lot. I changed the around 1am, not sure if that stopped it (if there was ever an attack in the first place). I'm not skilled with this sort of IT stuff, so I thought I'd ask here. Is there good evidence in our logs that a DoS attack occurred?
-
Answer:
These reports aren't particularly useful. Do you have access to the underlying log files? They'll be text files with a separate line for each request against your server. It does look like mpptop.gif was requested far out of proportion to everything else on your site. It was requested over 200K times, while it looks like your HTML pages were only requested ~16K times. Even if the gif was referenced multiple times per page, I'd expect it to be cached on the browser side. The major candidate is this host: stockwell-205-56.reshall.umich.edu, which accounts for 50% of the traffic on your site this month. These hosts might also have been participating: bursley-220-81.reshall.umich.edu bursley-216-26.reshall.umich.edu It seems unlikely to me that the level of traffic you were hit with would have mounted an effective denial of service, unless your website is hosted on a Palm V. It's not looking particularly distributed either, but it does look like someone may have made a lame attempt to knock you site off-line. If you have access to the raw server logs for yesterday, it will be much more obvious what really went on in the evening. If it shows evidence of a traffic flood from one of those hosts then campus IT will probably be able to check DHCP logs to narrow down the computer associated with those IP addresses at the times in question, and may be able to identify which room was involved. Whether they will or not is another question.
electric_counterpoint at Ask.Metafilter.Com Visit the source
Other answers
Both of those machines, Bursley and Stockwell are residence halls at the University of Michigan. Probably from dorm rooms... I'm assuming they aren't computer science majors.
Roger Dodger
Related Q & A:
- What are the chances of a 19 year old having a heart attack?Best solution by Yahoo! Answers
- Does anyone know a site where I can get a complete Man of La Mancha script for free?Best solution by Yahoo! Answers
- Do anybody know any free online jobs site where you can get a free online job without having to pay for it?Best solution by Yahoo! Answers
- How to get a web-site for free?
- Which would be the best site to get a Grant from?Best solution by ChaCha
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.