Friday, December 4, 2009

Detecting DoS / DDoS Attack on a Windows 2003 / 2008 Server

How do I detect a DDOS (Distributed denial of service) / DOS attack on a Windows Server 2003 / 2000 / 2008, XP, Vista or Windows 7? Can I use Linux netstat command syntax to detect DDoS attacks?

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

You can always use netstat command to get list of connections under Windows. Open command prompt by visiting Start > Run > Type "cmd" in box.

netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:
netstat -noa
  1. n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  2. o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
  3. a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
You can use find command as filter to searches for a specific string of text in a file. In the following example you are filtering out port 80 traffic:
netstat -ano | find /c "80"
Find the IP address which is causing maximum number of connection and block it using Cisco firewall or IPSec. Another protective measurement is to harden the TCP/IP stack.

Further readings:

1 comment:

  1. What if you can't find the Process ID(in Task Manager) that is establishing connections in your netstat? Is it hiding? Is there an explanation for this? Or is this proof of hacking?