I recently set up a cloud system on Amazon AWS for a big website. I usually use Elastic Beanstalk to deploy the application (written in Java Spring) and it's currently running on 4 micro instances.
I've set a rule to auto scale up when the CPU is over 70% for more than 2 minutes. I noticed that last night (when the traffic is usually very low), the system scaled up to 15 instances for a total of about 8 hours. I then noticed that the "traffic in" of the auto scaling group went from an average of 1,000,000 to an average of 30,000,000 (for about 10 minutes and every hour or so) with the "traffic out" remaining constant.
I know that we have competitors that may want our website to fall down. Are these the symptoms of a DDoS attack? Is there a way I can prevent this from happening? Is there a way to detect what caused the "traffic in" to increase?
Best Answer
The best way to determine what happened on your server is to check the logs. Look at what the Log4J properties file says the logs are being kept and read through them to see if there was a spike in requests from a particular IP/group of IP's.
You'll also do well to set up a NetworkIn alarm that lets you know when traffic to your instances is beyond whatever expect threshold for your application.