1

Let us say that we need to test a HTTPS web site for vulnerability/response in case of DOS/DDOS attacks.

Among other tools, we can use GoldenEye for this purpose. We can vary the number of workers and agents, thus varying the scale of attack.

How do you propose we measure the site response with the varying degree of attack?

One way for this could be to open the site in a browser and observe the site response when reloaded. However, this is not very satisfying, since this will be solely based on user perception.

Is there any way we can quantify the site response.

The site in question is remotely located and not physically accessible.

Improve this question

2 Answers 2

Reset to default
1

This propably depends on your own requirements and if you just want to know wheter it gets slow or you want also have some knowledge about what "pressure" is required for your server to collapse.

You need to define how much concurrency needs to be handled and therefore how many requests need to be served on normal load.

I would then check the base level performance of your application to get some information:

  • Average response times on low / medium / high load
  • Scaling of response times with additional concurrency

Having determined your base level, you can start putting load on your servers to see how the response times change.

I would assume that the response times of your application will scale quite linear first and will converge to a given throughput before either staying there for a while before the throughput of the benchmark you're using to simulate your actual userbase collapses.

To simulate your userbase, you may use a tool like gobench.

Improve this answer
1

You don't say which httpd server you are using...

If you are using apache httpd then you can tell it to log the time it takes to service the request in particular the

  • %T - The time taken to serve the request, in seconds.
  • %D - The time taken to serve the request, in microseconds.

there is also

  • %{UNIT}T The time taken to serve the request, in a time unit given by UNIT. Valid units are ms for milliseconds, us for microseconds, and s for seconds. Using s gives the same result as %T without any format; using us gives the same result as %D. Combining %T with a unit is available in 2.4.13 and later.

More information in the mod_log_config documentation.

I'm sure that other httpd servers will have similar log options.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .