Tags:



Did my site get a DoS attack?
March 21, 2006 9:43 PM   RSS feed for this thread Subscribe

How do I tell whether my site was hit by a denial of service attack? [Server logs inside.]

Background: My friend and I run the website for a campus political party at our university. Elections started at midnight last night. We heard that the other guys were planning to try a DoS on our site, http://www.michiganprogressiveparty.com.

Here are the logs:
http://joeygolden.com/stats1.pdf
http://joeygolden.com/stats2.pdf

We think that someone was requesting the same image (mpptop.gif) a lot. I changed the around 1am, not sure if that stopped it (if there was ever an attack in the first place). I'm not skilled with this sort of IT stuff, so I thought I'd ask here. Is there good evidence in our logs that a DoS attack occurred?
posted by electric_counterpoint to computers & internet (2 comments total)
These reports aren't particularly useful. Do you have access to the underlying log files? They'll be text files with a separate line for each request against your server.

It does look like mpptop.gif was requested far out of proportion to everything else on your site. It was requested over 200K times, while it looks like your HTML pages were only requested ~16K times. Even if the gif was referenced multiple times per page, I'd expect it to be cached on the browser side.

The major candidate is this host: stockwell-205-56.reshall.umich.edu, which accounts for 50% of the traffic on your site this month.

These hosts might also have been participating: bursley-220-81.reshall.umich.edu
bursley-216-26.reshall.umich.edu

It seems unlikely to me that the level of traffic you were hit with would have mounted an effective denial of service, unless your website is hosted on a Palm V. It's not looking particularly distributed either, but it does look like someone may have made a lame attempt to knock you site off-line.

If you have access to the raw server logs for yesterday, it will be much more obvious what really went on in the evening. If it shows evidence of a traffic flood from one of those hosts then campus IT will probably be able to check DHCP logs to narrow down the computer associated with those IP addresses at the times in question, and may be able to identify which room was involved. Whether they will or not is another question.
posted by Good Brain at 10:17 PM on March 21, 2006


Both of those machines, Bursley and Stockwell are residence halls at the University of Michigan. Probably from dorm rooms... I'm assuming they aren't computer science majors.
posted by Roger Dodger at 7:59 AM on March 22, 2006


« Older Is there a software package or...   |   Why are my daily scripts on OS... Newer »
This thread is closed to new comments.