We monitor our web farm nodes for, among other things, ASP Current Sessions. An alert was generated today when ASP sessions on one node suddenly grew to about 50x normal. A quick check of the web log revealed a definite attempt at bringing down the server. A quick IP block added to the firewall and, presto, end of crisis.
It was not a distributed attack or even a very sophicated attack, but nevertheless, within 10 minutes, attack was detected, verified, and stopped. Thanks Alex -- I'm liking HM more everyday.
