When should we use the "under attack" option?

Recently I was inside my google analytics and noticed a big uptick of current users (from 1 to 10). All of the users were based in Taiwan, viewing the english version of my page. I was currently running an ad campaign within Poland, so this big rush of untargeted visitors was alarming. Is this a time I should be worried? Should I have used the “Under Attack” button?

In a more general sense, what does an attack look like? what are the immediate effects? How can I defend against it?

“I’m under attack!” mode is usually used when you are experiencing HTTP DDoS attacks.

1 Like

The simplest way to see a genuine attack is to tail the log file on your server.
When doing this an attack is obvious, once you are used to seeing the regular traffic on your server when an attack happens you will see a sharp increase in the volume of hits on your server and can take appropriate action.

So was I right to assume an attack was happening? What is the appropriate action I should take? How quickly should this action be taken?

Personally going from 1 to 10 would not really worry me unless you saw performance issues on your site.
I would rather think a jump from 1 or 2 users to 1000 to 10’000 active “users” as more likely an attack.
But it really depends on the site I guess.
To investigate have a look through your logs and see what was being hit, was it regular browsing, a search bot trawling your site, a restricted area trying to brute force login etc…
First port of call is your logs

For the average website, an attack will be extremely obvious because it hasn’t been setup to defend against it. The website will simply go down, collapsed under the pressure, and/or be taken offline by the host for consuming too much resources (cheap shared hosting, etc.).

Or it’ll be just barely online, taking 5 minutes just to connect before it can begin to load each page, broken images, etc.

In other words: if you’re under attack, you’ll know. That’s the point of attacking in this way.

But then I guess you’re wondering if you were victim of a more targeted attack and not just a random DDoS? Probably not, but that isn’t what the “Under Attack” button is used for. It’s like a panic button to temporarily relieve the website as it’s overwhelmed by many thousands of connections.

The more targeted attacks can be detected/blocked by something like the Wordfence plugin if you’re on WordPress, the Cloudflare firewall, a properly setup origin server, etc.