Is it a security issue to show the current server load?

Question

Would it be useful for a hacker in any way to publicly display current server stats, such as average load times and memory usage?

The only issue I can forsee is that someone attempting to DDoS the server would have a visible indication of success, or would be able to examine patterns to choose an optimal time to attack. Is this much of an issue if I'm confident in the host's anti-DDoS setup? Are there any other problems I'm not seeing (I have a bad tendancy to miss wide-open security holes sometimes...)

Answer 1

Also useful for doing a MITM attack at the most busy time.

So the attacker can acquire the most targets before possible detection.

Another thing I can think of is logfile 'obfuscation'. Where requests by an attacker get lost in other logged stuff.

Maybe a long shot, but it can also be used to see where your visitors are coming from (based on the time they access the website), which can be used to target your visitors in other ways.

Also to expand on the possibility of attackers DOSsing the site, they can calculate the average response time at different times of the days (when it doesn't happen automatically). Because they can put load on the server and see when the load gets less.

Answer 2

Yes it's useful.

It will help him to know when he can download a big chunk of data, like a backup, without being detected by traffic statistics ;)

Also he will know when he can attack, do a penetration test, bruteforce or what ever, with better chance of hiding his track in the logs.

Furthermore, if he gain access he will know, when he could collect more credit cards, passwords from users, if he had no lack with the database or it's a Xss attack etc.

Ddos is another point, that you mension it already. Memory and average load will give him the success status of the attack.