This guide will explain how to check if a Windows server is under a DDOS Attack. If you have a Windows server experiencing high load or downtime, it might be under a DDoS attack.
Below are some common signs that indicate a DDoS attack on your server:
- The website keeps loading indefinitely.
- SQL connection timeouts occur frequently.
- Site timeout errors prevent users from accessing the site.
- Unable to send or receive emails.
- Server resources and ports are completely inaccessible.
If you are facing these issues and all server resources become unavailable, it is likely that your server is under a DDoS attack. Immediate action to analyse and mitigate the attack is crucial to restoring normal operations.
Steps to Check if the Windows server is under DDoS attack:
To determine if your Windows server is experiencing a DDoS attack, you can use the NETSTAT command-line utility. This tool displays current TCP/IP network connections and protocol statistics on your system.
- Open the Command Prompt:
Press Windows + R, type cmd, and hit Enter. - View Current Connections:
Check how many connections are established on your server by typing the following command:netstat -ano
Explanation of the Flags:
a: Displays all connections and listening ports.
n: Shows port numbers and addresses in numerical format.
o: Displays the owning process ID associated with each connection. - Export Connections to a Text File:
To create a text file listing all listening ports and their corresponding IP connections, use the command:netstat -ano > netstat.txt
- Check Connections on Port 80
- To find the total number of connections made on port 80, use the following command:
netstat -ano | find /i /c “:80”
- To display the connections, use:
netstat -ano | find /i “80”
- Identify and Block IPs with High Connections
- Check which IP address has the maximum connections on port 80 and save the output to a separate file.
- Once identified, you can block the IP address using the IP security policy.
- To find the total number of connections made on port 80, use the following command:
- Check Connections from a Specific IP Address
To check the number of connections made from a specific IP address, run:netstat -ano | find /i /c “IP Address”
Replace “IP Address” with the actual address you want to investigate.
By following these steps, you can effectively determine whether your Windows server is under a DDoS attack. If you notice an unusually high number of connections from a specific IP address, consider implementing measures to mitigate the threat.