In Windows servers, we can use the following methods to check DDOS attacks.
Check the connections on port 80 through the command line:
Code: [Select]
netstat -ano | find /i /c ":80"For eg:
Code: [Select]
C:\Users\Administrator>netstat -ano | find /i /c ":80"
183927
The following command will give you the amount of connections on a specific IP
Code: [Select]
netstat -ano | find /i /c "IP"
Identify all of the connections on the server:
Code: [Select]
netstat -n -p tcpExport the connections on the server using the command below:
Code: [Select]
netstat -ano > ddosoutput.txtAnother method to find out the domain or IP address on which the attack is targeted is given below.
1. Download and install Wireshark on the affected server
http://www.wireshark.org/
2. Once installed, start the program on the server
3. Under "Capture", click on the "interface list'. Here, you will see the traffic through all the NIC's connected on the server.
4. Click on the interface where you see high traffic and then click on "Start".
5. You can see the source and destination IPs. If it is a DDOS, you can see different source IP's targeting to a single destination. If the destination IP is the server's shared IP, then you have to find the domain on which the attack is targeted as there will be manu domains configured on the shared IP.
6. For that, go to "View" > "Name resolution" > "enable for network layer". Once it is enabled, you can see the domain names. pick out the domain name where you see high accesses, set loop back on his DNS and suspend him from the server.
But, the DNS changes we make would take some amount of time to be in effect as there would be a propagation delay. If the attack is really crashing the server, you need to contact your data center and if there are any tools available to filter the attack, make use of it.
----------
Thanks..