Hi Matthew,
So it's probably worth covering a few of your points there.
a) I prefer not to use the word "attack". It suggests that something was "directed at you" which is unlikely. It's more accurate to think of it simply as a bot finding your server and doing a scan for possible vulnerabilities. It's not personal, it's just normal background traffic on the internet.
b) I doubt very much it was your first. More likely it was the first one so unsophisticated as to attract your attention. I know if I run a server for more than about 30 minutes it will inevitably get some "unwelcome" traffic during that time. Mostly it's just sort of "background noise".
c) it makes no difference if the server is HTTP or HTTPS - any client can ask for any resource from any server at any time. the server may or may not have that resource, that's not important, but any client can ask at anytime.
>> The hacker could have been hitting our system for up to 10 minutes by time I got notified to look at it. We don't keep file logging on so I don't have a record of what he was doing earlier.
All he did earlier, and all he did while you were looking, was sending requests. There is nothing intrinsically scary about this. If you do watch your server you'll see it goes on pretty much all day anyway. If anything this probe was really unsophisticated because they went too fast and attracted your attention.
>> My big concern is that he managed to lock everyone else out of the server. Everyone else got a time out error.
This is known as a denial of service attack. Basically it just makes your server so busy that others can't get a request in. It's like a pesky toddler that won't stop saying "mommy, mommy, mommy...."
>> Is this anything we can to to prevent an attacker from locking people out of our server in the future?
It's difficult to prevent denial-of-service (DOS) (and even more so distributed-denial-of-service (DDOS)) because by definition it's hard to differentiate legitimate traffic from illegitimate traffic. DOS is easier to prevent than DDOS.
On the upside they probably weren't trying to DOS you - if they were they would have asked for pages you _do_ have.
>> Also a feature idea: Auto ban an ip address of it gets too many 404s is a short amount of time. I bet that would limit most probing attacks.
All "banning" schemes come at a cost, and it's worth being very careful that you understand the cost before implementing them. Quite apart from the extra work incurred in tracking incoming requests, and then deciding what constitutes an "attack" and what is just errant behavior - it also has side effects (like performance slow-down) on legit traffic.
I'm not saying it's not possible, but you want to tread _very_ carefully here.
(For example - if you have a style file in your css list, or image file, which does not exist then your egit customers may be getting 404's behind the scenes. you probably don't want to ban them...)
Cheers
Bruce