3

How could I know that a lot of requests in a short period of time come from a DoS attack and not from normal browser requests?

mdgart
  • 131
  • 3

2 Answers2

3

One of the better indicators of a malicious attack is that there are a huge number of requests for stuff that is not your actual content. Beyond that the best you can do is look for patterns.

Thousands of identical or similar requests from the same source within a second may very well be part of a DOS attack. It could also be caused by a malfunctioning program but from your perspective the only difference is intent. Of course if that number is hundreds of thousands or even millions of requests it's a fair bet that you are indeed being attacked. The same applies if those requests are originating from different sources.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
2

You can't - at least not always. It completely depends on the nature of a DDOS attack: If it just accesses one page, it might be a rogue DDOS-attack or just the slashdot crowd (in case of slashdot you might be able to get a hint through the referrers)

If several IPs start appearing more often and spider your site too quickly, this might be bad for your site, or it might be wanted: If you have interesting (and changing) content, you'll be spidered more aggressively by the big search engines. This might not be too distributed, but nevertheless might at least result in a DOS if too aggressive.

After all: isn't being slashdotted also a kind of DDOS? It's manual, but very distributed and might lead to DOS.

You won't get hints in the referrer if you're named in a popular streaming podcast, where everybody learns about your site at the same time (twit.tv comes to mind - they frequently take sites down by mentioning them). As everybody is typing the URL manually into their browser, there is no hint where they came from.

Last question: When you determine what they are: What would you do with them? Your network might be already saturated so DDOS protection needs to be added outside of your network - or are you looking for an algorithm to place there?

Olaf
  • 908
  • 5
  • 7