I manage the code and deployments for an ASP.net site on a dedicated server. Windows 2008-64 R2, 8GB RAM, Dual Core. It is a dedicated intranet site that never has much traffic. Most of the performance issues that we run into are memory issues on the server (the app sometimes has to import and interpret data from 1GB+ Excel files, or process large amounts of data for insertion into the DB) or in the DB (from the aforementioned inserts, sometimes coupled with table locking due to data being updated concurrent with insertions to the same table).
A few days ago, there was a six hour period of time where the Processor monitors on the site were over 95% for the entire period. Website responsiveness was sluggish, and at times it was impossible to access the site at all. I got twice-per-minute emails from our monitoring service about the sustained processor over-utilization, but aside from a couple of alarms that did not repeat, there were no issues with running out of memory. And from the user perspective, reports came in indicating that upload bandwidth was much slower than normal.
I checked windows logs - nothing out of the ordinary. Checked my internal logs on the site for any in-site activity that might account for this, and also nothing to explain the poor behavior (or even something that might have explained running short on memory). So I am still left looking for a cause to this server event (it cleared up on its own, very suddenly).
The only other explanation that I can think of is a DDOS attack. The entire site is password protected, but I would think that if enough connections were being made to the homepage during this time, that it would result in the symptoms that I know about: sustained high processor utilization (without any hit on memory, since the login page is not dynamic) and decreased bandwidth in both directions.
Is there any way that I can try to verify if this may or may not have been the cause? Any default logs in windows server or IIS that would record information like this? Is there any other cause that you can think of that would lead to the symptoms that I described?
Hrmm... typically DDoS attack information is detected at the edge of Internet facing sites so... the firewall that protects them. I don't know you're going to get much in the way of logging from the OS unless it caused some kind of serious resource contention issues. IIS may have something, and that being said I believe you will find this was not a DDoS but something application specific that caused a hangup. You would do well to get some kind of logging of processes and their resource usage in place.