Are you listening to your logs? Part 1: Slow server response

Are you listening to your logs? Part 1: Slow server response

Are you listening to your logs? Part 1: Slow server response


Is there a more uninspiring word to encounter while browsing the internet? When a loading screen occurs, statistics show it takes only three seconds for a potential customer to leave your website.

Are you listening to your logs? is a blog series that aims to explore logs for insights into potential security and operational concerns lurking in your network. In this blog, we take a look at server response time — time that passes between a client requesting a page and a server responding to that request — and how it can be linked to a denial-of-service (DoS) attack.

Server response time is measured by time to first byte (TTFB) after sending an HTTP request. It is a critical performance metric for websites, as higher server response times have been shown to affect purchase decisions. The ideal server response time is 200 to 250 milliseconds; anything higher than 500 milliseconds is deemed slow server response and needs attention.

Slow server response may occur due to a variety of reasons, one of which is a lack of proper hosting. Others include the complexity of your website, presence of the third-party plug-ins, a lack of caching on the client side, back-end server issues, sales events such as Black Friday or Cyber Monday, or a DoS attack, which is when slow server response becomes an indication of security compromise.

When a web server receives a request for a website, it responds by running database queries and loading multiple files. The aim of a DoS attack is to render a website unavailable. The website stops functioning when the server encounters a large number of requests in a short span of time. There are multiple ways to achieve this:

Volume-based attacks: User Datagram Protocol (UDP) floods, Internet Control Message Protocol (ICMP) floods, and other spoofed-packet floods

Protocol-based attacks: SYN floods, ping of death, etc.

Application layer attacks: HTTP flood, GET/POST flood, low and slow attacks

Application layer DoS attacks like HTTP floods target Apache web servers and Windows. The attack is carried out by flooding the web server with a multitude of HTTP requests in a short span of time.

Another variation to DoS attacks is distributed DoS attacks, or DDoS attacks. This attack is carried out using multiple IP machines, which may be compromised hosts themselves, to send requests. In this case, looking at the HTTP request traffic is of little help as the multiple request sources make it difficult to distinguish malicious traffic from normal traffic. This is why detecting DDoS attacks through just network traffic monitoring may prove ineffective and requires additional parameters to be considered.

Server response time is a visibly affected metric during a DoS attack, being five to ten times higher than the normal response time and a dead giveaway. Monitoring server response time along with factors like the number of requests can prove very effective in discovering a DDoS attack, where monitoring client IP address alone may fail.

ManageEngine EventLog Analyzer is a comprehensive log management tool that monitors Windows Internet Information Services (IIS) web server and Apache server logs. It provides out-of-the-box reports on various DoS attacks.

With its well-built alerting feature, you can use EventLog Analyzer to set up custom alerts that consider multiple factors to detect slow server response in your network, and be notified in real time. Once alerted, you can quickly investigate the cause by looking into the extensive web server reports on access logs, error logs, and other web server logs.

Explore EventLog Analyzer now!

** Optrics Inc. is an Authorized ManageEngine partner

The original article can be found here:

Leave a Reply