How to check if windows server is under DDOS attack

July 28, 2023 / Servers, Hosting & Email

In this article, you will find how to check if a Windows server is under a DDOS Attack. If your Windows server is facing high load or unexpected downtime, it could be the result of a DDoS attack.

The following signs may suggest your server is under a DDoS attack:

  1. The website keeps loading indefinitely.
  2. SQL connection timeouts occur frequently.
  3. Site timeout errors stop users from viewing the site.
  4. Unable to send or receive emails.
  5. Server resources and ports are completely inaccessible.

These signs, combined with a complete drain on server resources, strongly indicate a DDoS attack. Take immediate steps to identify and stop the attack.

How to Check if a Windows Server Is Under a DDoS Attack?
To identify a potential DDoS attack on your Windows server, use the netstat command-line tool. It provides real-time information about active TCP/IP connections and network statistics, helping you detect unusual traffic patterns.

  1. Open the Command Prompt by pressing Windows + R, typing cmd, and hitting Enter.
  2. To check how many connections are established on your server, type the following command:
    netstat -ano
    Explanation of the Flags:
    The “a” option lists all active connections and listening ports, while “n” displays IP addresses and port numbers in numeric format. The “o” option shows the Process ID (PID) linked with each connection.
  3. Use the following command to save all listening ports and their associated IP connections to a text file:
    netstat -ano > netstat.txt
  4. To check Connections on Port 80:
    1. Find the total number of connections made on port 80, using the following command:
      netstat -ano | find /i /c “:80”
    2. Display the connections, using:
      netstat -ano | find /i “80”
    3. Identify and Block IPs with High Connections:
      1. Check which IP address has the highest connections on port 80 and save the output to a segregated file.
      2. Once identified, you can block the IP address using the IP security policy.
  5. Check Connections from a Specific IP Address, using the following:
    netstat -ano | find /i /c “IP Address”
    Replace “IP Address” with the actual address you want to investigate.

In this manner, you can successfully find out whether your Windows server is under a DDoS attack. If you notice an unexpectedly high number of connections from a specific IP address, consider implementing measures to lessen the threat.

For more such articles, do visit our KB section

Spread the love