How to Check if Windows Server is under DDOS Attack

July 28, 2023 / Servers, Hosting & Email

This guide will explain how to check if a Windows server is under a DDOS Attack. If you have a Windows server experiencing high load or downtime, it might be under a DDoS attack.

Below are some common signs that indicate a DDoS attack on your server:

  1. The website keeps loading indefinitely.
  2. SQL connection timeouts occur frequently.
  3. Site timeout errors prevent users from accessing the site.
  4. Unable to send or receive emails.
  5. Server resources and ports are completely inaccessible.

If you are facing these issues and all server resources become unavailable, it is likely that your server is under a DDoS attack. Immediate action to analyse and mitigate the attack is crucial to restoring normal operations.

Steps to Check if the Windows server is under DDoS attack:
To determine if your Windows server is experiencing a DDoS attack, you can use the NETSTAT command-line utility. This tool displays current TCP/IP network connections and protocol statistics on your system.

  1. Open the Command Prompt:
    Press Windows + R, type cmd, and hit Enter.
  2. View Current Connections:
    Check how many connections are established on your server by typing the following command:
    netstat -ano
    Explanation of the Flags:
    a: Displays all connections and listening ports.
    n: Shows port numbers and addresses in numerical format.
    o: Displays the owning process ID associated with each connection.
  3. Export Connections to a Text File:
    To create a text file listing all listening ports and their corresponding IP connections, use the command:
    netstat -ano > netstat.txt
  4. Check Connections on Port 80
    1. To find the total number of connections made on port 80, use the following command:
      netstat -ano | find /i /c “:80”
    2. To display the connections, use:
      netstat -ano | find /i “80”
    3. Identify and Block IPs with High Connections
      1. Check which IP address has the maximum connections on port 80 and save the output to a separate file.
      2. Once identified, you can block the IP address using the IP security policy.
  5. Check Connections from a Specific IP Address
    To check the number of connections made from a specific IP address, run:
    netstat -ano | find /i /c “IP Address”
    Replace “IP Address” with the actual address you want to investigate.

By following these steps, you can effectively determine whether your Windows server is under a DDoS attack. If you notice an unusually high number of connections from a specific IP address, consider implementing measures to mitigate the threat.

Spread the love