Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: How to Check DDOS on windows servers  (Read 10344 times)

0 Members and 1 Guest are viewing this topic.

lathu_official

  • Guest
How to Check DDOS on windows servers
« on: January 16, 2014, 01:06:01 pm »
In Windows servers, we can use the following methods to check DDOS attacks.

Check the connections on port 80 through the command line:

Code: [Select]
netstat -ano | find /i /c ":80"

For eg:

Code: [Select]
C:\Users\Administrator>netstat -ano | find /i /c ":80"
183927

The following command will give you the amount of connections on a specific IP

Code: [Select]
netstat -ano | find /i /c "IP"

Identify all of the connections on the server:

Code: [Select]
netstat -n -p tcp

Export the connections on the server using the command below:

Code: [Select]
netstat -ano > ddosoutput.txt


Another method to find out the domain or IP address on which the attack is targeted is given below.

1. Download and install Wireshark on the affected server

http://www.wireshark.org/

2. Once installed, start the program on the server

3. Under "Capture", click on the "interface list'. Here, you will see the traffic through all the NIC's connected on the server.

4. Click on the interface where you see high traffic and then click on "Start".

5. You can see the source and destination IPs. If it is a DDOS, you can see different source IP's targeting to a single destination.  If the destination IP is the server's shared IP, then you have to find the domain on which the attack is targeted as there will be manu domains configured on the shared IP.

6. For that, go to "View" > "Name resolution" > "enable for network layer". Once it is enabled, you can see the domain names. pick out the domain name where you see high accesses, set loop back on his DNS and suspend him from the server.

But, the DNS changes we make would take some amount of time to be in effect as there would be a propagation delay. If the attack is really crashing the server, you need to contact your data center and if there are any tools available to filter the attack, make use of it.



----------

Thanks..