Is it DDOS or is it you?

Server load can tell you a lot about your day-to-day user traffic.

A sudden spike in server traffic can indicate an attack, but that’s not always the case. 

As website and performance monitoring become more mainstream, and you add a wider variety of backend testing and web monitoring checks to your infrastructure – you have to ask the question – Is that spike in server traffic DDOS? Or is it me…

server load cartoon

It’s not the size, it’s how you interpret it

Not all high load volumes indicate a DDOS attack. A sudden increase in traffic can be encouraging if they’re not bot attacks, so let’s start with the positives.

Your marketing team is nailing it

On their best day, spikes in traffic volume can mean that your marketing is working, maybe you’ve gone viral on social media, or you’ve got a really active catalog of backlinks that just went live. The easiest way to differentiate is to know if you were anticipating a potential increase.

Mistaken Identity

Here’s a funny story. Once upon a time your favorite uptime provider *ahem* us *ahem* received an unexpected spike in traffic, and an unexpected spike in support tickets when another company with a similar name was heavily advertised for one of their promotions. The kicker? Even they didn’t anticipate that level of media interest. 

How does this happen? A news media outlet may pick up your press release, or your promotion and forget to include the link to your site. This brings us to the random phenomenon of Google searches. 

If your SEO game is strong and you come up on page 1, users may mistake you for another company, or your company link may be used without your knowledge. Crazy stories like this can happen to you. Yet another reason to keep communication channels open with your users through support services and status pages.

Behind the scenes action

There is more than one scenario where backend traffic may be the culprit. 

Scheduled backups & software updates

Many companies have their backups scheduled to run on a recurring schedule – so the job is predictable but it’s important not to run your scheduled backups during peak user traffic times. 

Need to know when your peak traffic times are and where those users are coming from? Tools like Real User Monitoring (RUM) let you know how many users are at the party, how long it took them to arrive, what type of interactions they’re having, and if they ran into any errors or latency that caused them to bail. 

The geographical and user volume data provided by RUM reporting is essentially a timetable that can help you plan backend maintenance – in addition to illustrating real user experience.

RUM report

Monitoring Locations

This next one is our personal favorite, but also an overlooked reason for server spikes – and definitely one you should account for – since monitoring can help prevent DDOS and other negative traffic impacts. Any uptime monitoring provider worth their salt is going to offer monitoring from a variety of probe server locations all over the globe.  

If you have a web monitoring provider who isn’t stingy on servings, your monitoring locations can generate a traffic spike all on their own. 





Each configured location for an check will run consecutively during the set interval, every time the test is run. So for a 5 minute interval with 5 locations, a probe server is visiting your site every single minute on repeat, and that can add up to some significant extra weight on your servers.


Getting Hacked

The key phrase here is “for no good reason”. If you can’t validate the traffic you are seeing on your servers from your marketing efforts or from backend maintenance, then it’s time to acknowledge you may be getting attacked. 


DDOS attacks are easy to see; massive spikes in traffic with no explanation and a very immediate negative impact on your servers. This is also the most vocal kind of server attack as you’ll be hearing from your site visitors when they aren’t able to reach your page. 

What you don’t want is a user attack on top of a server attack, especially if you are a small to midsize business or startup where your team wears a lot of hats. Don’t put strain on support or customer service teams when you can instead take control of the narrative with a status page, and update and notify your regular site users as outages and updates develop.


Malware attacks can be harder to see – like icebergs – kind of visible with smaller spikes, but hiding much more damaging programs beneath the surface. Consistent monitoring and observation are the best defense here, setup malware and virus checks, and other server health checks to make sure your servers are receptive and performing as normal. Other tools like comparing RUM data against server traffic and your bandwidth monitor will also help you pinpoint spikes that don’t add up to your regular activity.


Observing patterns

Deja vu indicates a glitch in the Matrix, and a change in the pattern can indicate an attack. So let’s do a quick survival checklist:

  • Spikes at repeating intervals = probably safe

This is your backend testing and monitoring 

  • Sudden spikes with a reason – probably safe

Marketing efforts, going viral on social media, backlinks

  • Sudden spikes with zero explanation = call your emergency response team
  • Small spikes that can’t be explained = investigate

Maybe your reach is growing, maybe it’s malware

There’s much more to monitoring than meets the eye, it will change your infrastructure but improve your functionality and user experience. It will also protect you, and we can help you get started.

Check out our no shenanigans, no credit card required 21 day free trial and put our product and our team to the test.



Minute-by-minute Uptime checks.
Start your 14-day free trial with no credit card required at

Get Started

Don't forget to share this post!

Emily Blitstein is a technical content writer for With a background in writing and editing, Emily is committed to delivering informative and relatable content to the user community.

Catch up on the rest of your uptime monitoring news