Slow response of the server

Server response time is an important performance parameter for servers hosting your business websites. The time that passes between a client requesting a page and a server responding to that request is the server response time. It is measured by TTFB—Time in milliseconds, taken to receive the First Byte of the page after sending a HTTP request, in WIndows. In Apache server logs, the parameter is called requesttimeMillisec. In a world where time is money, we often find customers losing interest when the page does not respond to their requests in time.

Slow server response is usually caused by a variety of performance-related issues such as lack of proper website hosting, large number of requests due to sales and so on. Most often, slower server response occurs when there is unusually high traffic to your website. Interestingly, this could be an early indication of an IT security breach. Let's see how.

One of the most dreaded cybersecurity attacks is Denial of Service (DoS). DoS aims to make your server inaccessible to the rest of the network, by flooding it with a huge number of requests. These requests could either be from a single source or multiple sources.

The United States Computer Emergency Readiness Team (US-CERT) has identified the Dos symptoms to be,

• unusually slow network performance (opening files or accessing web sites),
• unavailability of a particular web site, or
• inability to access any web site

The overloading prevents the server from responding to legitimate requests. If your organization provides a vital service such as as banking, then this attack proves to be disastrous.

Dos attacks can be detected in time if the incoming and outgoing traffic into the network is diligently monitored. Multiple requests from a single IP address or a large number of requests from multiple IP addresses to a single server is an indication. But relying on source IP addresses may or may not be effective. Some DoS attacks are targeted and their traffic can easily be disguised as normal network traffic.

Keeping an eye out for the symptoms along with the network traffic could prove highly effective in detecting dos attack in time. Monitoring the web servers for anomalies in server response times can help in securing your network with a timely and quick response to DoS attack.

Apache server logs provide a lot of vital information with regards to traffic analysis, errors and perfomance metrics. RequesttimeMillisec is the time in milliseconds taken to load the webpage. Any log records that indicate more than 1000 milliseconds for a threshold limit of 200 requests means your server response is slow.

EventLog Analyzer , a comprehensive log management tool can audit Apache server logs. You can set up real time alerts that monitor slow server response on Apache servers. It also monitors your network for DoS activity based on network traffic. Click here to explore EventLog Analyzer.