Today, the types of attacks that can involve a web portals can be several, ranging from Cross Site Scripting, Web defacements until you get to the DoS or DDoS attacks.
In this article we will see what is important to monitor on a web portal in order to identify potential DoS or DDoS attacks in progress.
DoS and DDoS respectively stand for Denial-of-Service and Distributed Denial-of-Service.
These terms refer to a type of attack whose goal is to exhaust the resources available by a network, an application or a service in general, so that 'legitimate' users of that service will not be able to use it .
In general, a DDoS attack is led by a large group of clients around the world, at a precise moment, they begin to flood of packets a website, a network or a service in general. Clients participating in the attack can be used deliberately (and knowingly) their respective owners, such as in the case of actions by groups of activists, or may have been previously compromised by Trojans such as Zeus and SpyEye and consequently be associated with related botnets.
Specifically, it is essential to monitor the web server and application server in order to detect an abnormal increase of requests for access to a web portal, and then identify a potential DOS or DDOS attack:
• Anonymous Users connected per second
• Sent and received bytes per second
• Attempts to connect per second
• Established connections per second
• Total Active Connections
• Allocated memory per process (server, application server)
• CPU usage per process (server, application server)
• Total anonymous users
According to the same principle should be monitored on the network:
• Total inbound and outbound tcp connections
• Total sent and received bytes per second
Other indicators may be used to identify situations of potential danger, eg. a DOS attack tends to saturate the resources available to the portal so a check on the use of memory or CPU load could be an indicator.
In particular:
• Processor percentage usage
• Available Ram Memory
As the portal is a complex system, not only a web server and application server need to be monitored but database and the physical machine need to be monitored as well.
Regarding the Database:
• Number of connections
• Login per second
• Errors per second
• Size of log file
• Total time spent waiting for a resource lock (latch)
• Processes awaiting a latch for second
Basically a web portal is generally a complex system represented by physical Server on which are running Web Server, Application Server and Database. A DoS or DDoS attacks aim to saturate the portal resources and an effective monitoring process must be able to monitor the availability of resources, and in particular their increase in utilization over time.