How do you recognize a DoS attack

Early recognition of a DoS attack is essential. This post will help you learn how to recognize a DoS attack so you can take necessary steps.

In my previous post, I talked about DoS attacks in general (see end of the post for the link) and if you’ve read it, you know how are they working. If you didn’t read it, do it now then return here.

When a website is under DoS siege, the most prominent effect is that the website becomes slower and slower as the time passes by and the number of incoming connection increases to the point the webserver either resets (in my humble opinion the best thing) or denies to serve.

In one of my previous posts I mentioned that a webserver, for example Apache can handle only a limited number of connections. This number solely depends on the architecture of the webserver’s core, the amount of available hardware resource and how the server manager configured the webserver. This only applies to standalone servers, not balanced ones or mainframes. In how much time will the server becomes unusable, solely depends on the above factors. For example a server with high amount of RAM could handle a very big number of connections, if the configuration of the software allows it.

So, the first eye-blowing effect of a DoS attack is the enormous number of unexpected connections.

The architecture of the webservers is designed so that when a connection is opened, it isn’t closed for quite a lot time, usually 250-300 seconds. So when a DoS client connects to a server, it’s not disconnected for the TTL time. Imagine thousands of connections waiting to close.

As per the above paragraph, the second prominent thing which happens with a webserver is that there are a lot of unclosed, waiting connections.

The web server allocates an amount of hardware resource for each incoming connection. Under a DoS siege the number of connections is enormously high, thus a lot of hardware resource is consumed. First the RAM will be not enough, when the RAMs are filled up the server will try to use the hard disk thus causing the server to “swap” but as there is not enough RAM the CPU neither will be able to handle a thing. The server is on its knees.

So, the last thing you should observe is that the server load is too high. I say this is the last you have to look for because if only this applies to your situation, it’s most likely you are not under a DoS siege but either a misconfiguration happened on the server’s level, or a bad-written, low quality script is using up the resources.