Home / server / Questions / 40176
Accepted
Adam Brand
Asked: 2009-07-14 14:18:44 +0800 CST

Identifying DDOS Attacks on Windows 2008 Servers [duplicate]

  • 772

I recently was notified by my monitoring service that a few Windows 2008 servers (hyper-v instances) were down.

I logged into the Hyper-V box and noticed everything was super slow. I opened task manager and saw that while CPU and RAM were fine, network utilization on our "Public" NIC was at 99%.

This lasted for about 10 minutes, during which time I found that disabling inbound connections for one of the servers caused the network saturation to drop to normal levels. I disabled that server's inbound connections to allow the other servers to operate, and eventually the traffic went away.

I suspect this was a DDOS or regular Denial of Service attack, but it seems pretty random. The server in question is very low visibility and not a lot of value would come from someone taking it down.

What would be the best way to tell if I am experiencing a DDOS attack? Is there anything else that you could think of that would cause this, and, if so, what should I look for?

EDIT: This happened again. I tried netstat -noa but didn't see anything useful. I was hoping there was some command or program I could run that would show me how much bandwidth each IP is using (i.e., it says network utilization is 100%, but how does that add up). Does anything like that exist?

windows-server-2008 ddos denial-of-service

3 Answers

  1. May be this will help?

    Detecting DoS / DDoS Attack on a Windows 2003 / 2008 Server

    netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:

    netstat -noa

    Where,

    1. n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
    2. o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
    3. a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
    • 2

  2. Servers are usually DoS'ed with connections rather than packets.
    So, a full utilization of the network path is not always necessary.

    If yours was a DDoS/DoS, it should have tripped your IDS in the inbound path (assuming you have one).

    Since you say it was a low visiblity web server, could it be someone inside or outside your enterprise mirroring it with a full rate wget kind of activity? That would choke your HyperV system if you have sufficient bandwidth on you uplink. It would also explain a short lived 'attack'.

    • 1
  3. Best Answer

    I found the following in Windows Server 2008 TCP/IP Protocols and Services.

    To see a SYN attack in progress on a computer running Windows Server 2008 or Windows Vista, use the Netstat.exe tool at a command prompt to display the active TCP connections. For example:

    alt text

    This is an example of a SYN attack. There are a number of TCP connections in the SYN_ RECEIVED state, and the foreign address is a spoofed private address with incrementally increasing TCP port numbers. The SYN_RECEIVED is the state of a TCP connection that has received a SYN, sent a SYN-ACK, and is waiting for the final ACK.

    which is confusing, because later on it says:

    TCP in Windows Server 2008 and Windows Vista use SYN attack protection to prevent a SYN attack from overwhelming the computer.

    ...so if that is the case, how would the above command help?

    • 1