Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Greetings,
Just need some help on interpreting some network traffic data which was captured during a DDos. It was mailed to be from a friend who runs the server, but perhaps a more learned interpretation would help my understanding of the situation.
Here are two screenshots :
I have limited knowledge on the subject but from first hand it seems to me that the server is poorly configured as such low number of requests / traffic shouldn't have been able to bring the site down. Going on the data represented in the graphs what conclusions could one draw on the efficiency of server config to prevent such attacks in future. Is it indeed badly configured ?
As a novice in suck matters any feedback would definitely help with my understanding on the subject.
Are you sure that it is a true DDoS? You certainly can't tell from those graphs. And something like slow_loris can bring down a server with very low traffic rates and can look quite similar to a DDoS.
Anyway, it probably is a sub-optimal configuration, but what kind you couldn't really tell without a load more detail.
Thanks salasi,
So what could have been responsible for the blue peak and what does this actually represent in terms of request volumes ? It does look quite menacing in pic1.
Err, almost anything. It could be a DoS, it could be a DDoS (and given that the counter measures could be far simpler for a DoS, it is not merely an idle, semantic, distinction) it could be something to do with the site content (assuming that it has content - you haven't said whether it does, but it is a strong possibility) it could be anything that makes this content suddenly more popular, it could be a massively popular site mistakenly linking to your site.
As you seem to be unwilling to add the kind of evidence (any?) that has either persuaded you or could persuade someone else that this is a DDoS, is there really any point in carrying on with this thread?
Sorry for being so vague salasi. The site does have content I was told it was a very hard DDos but judging by the basic stats in the graphs I can't think it could have been that large an attack ? I was just wanting to know what someone with expert knowledge or experience could make of the data in the graphs.
You don't use graphs to investigate possible DoS and DDoS activity. And you wouldn't believe how many people that visit the forums think they're under attack when it's something else entirely (as salasi mentioned above).
A simple search of these forums should help you a bit with using the proper tools and assessment of denial-of-service-like activity. Once that is done, supply some supporting information that isn't a chart. Do this and you'll be helping the people that want to help you investigate.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
