DDoS attack can be detected with Energy Logserver by few approaches, which we did in previous deployments with multiple customers. In all scenarios we are interested in getting notification or taking specific action based on detection, that is why we are using alerting. We can either integrate with firewall software, which is capable of detecting such attack OR we can create such detection independently.
In one approach alert type for this use case is frequency. We look for indicator of connection and count it by source ip. If there are more than 100 connections by 1 IP In 5 minutes – alert will be triggered
We can create same kind of alert per website with defined threshold of max visit.
Other option is to have both of those alerts created without notification and create correlation between them with usage of Logical alert type.