At this point, your web server has given up on trying to service new requests. Using software, the hacker has simulated a very large number of people (or connections) to your website, your website is no longer able to handle all these connections, and you and your customers see an error message when you visit your website.
You can always use netstat command to get list of connections under Windows. Open command prompt by visiting Start > Run > Type cmd in box.
or you can try with Alt + R and then type cmd
netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:
Where:
n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
You can use find command as filter to searches for a specific string of text in a file. In the following example you are filtering out port 80 traffic:
or
For eg:
The following command will give you the amount of connections on a specific IP
Identify all of the connections on the server:
Find the IP address which is having maximum number of connection and block it using Cisco firewall or IPSec. Another protective measurement is to harden the TCP/IP stack.
Step 1: Click Start > Click Run > Type secpol.msc
Step 2: Now in the left side you will see IP security policies on local computer
Step 3: Right Click > Create IP security policy > Click Next in IP security policy Wizard
Step 4: In the Name field give your Policy name and type a description.
Step 5: Click Next > Leave activate ticked > Click Next
Step 6: Leave the edit properties ticked > Click Finish
Step 7: You will get the properties window > Click ADD > Click Next to continue.
Step 8: Leave This rule does not specify a tunnel selected > Click Next
Step 9: Leave all network connections selected > Click Next
Step 10: You will now be on the IP filter list. You need to create a new filter, so don’t select any of the default ones. Click ADD
Step 11: Type a Name for your list, say Blacklist >Type a description,it can be same as name > Click ADD > Click Next to continue.
Step 12: In the description box type a description. As its the first IP you are blocking say IP Blacklist 1 > Leave ticked the Mirrored > Click Next
Step 13: The Source address should be left as Specific IP address > Give the IP address having the attack >Click Next
Step 14: In IP traffic destination select A Specific IP address or A Specific Subnet for the Destination address.
Type in the IP address you want to block and if blocking a subnet type in the subnet block. Click Next.
Step 15: Leave the protocol type as Any > Click Next > Finish
Step 16: Right click on the Policy and Click Assign.
Step 17: Restart Ipsec service :
Start > Run > type services.msc > Select Ipsec services > Click Restart
or you can block directly through cmd with following command:
*You will need to change the mask “/32” with the actual subnet mask to block the entire subnet.
For eg. (using IP 192.168.1.11) :
– You will first need to create your list of IPs/subnet in a plain text file, one entry per line and name it as “ips.txt”
– Then, run the following command under the same location where your file “ips.txt” has been saved
if you do not want to use a specific port, You can use this command
Wish you luck :)
You can always use netstat command to get list of connections under Windows. Open command prompt by visiting Start > Run > Type cmd in box.
or you can try with Alt + R and then type cmd
How to trace the DDOS attack on the Windows Server
netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:
netstat -noaWhere:
n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
You can use find command as filter to searches for a specific string of text in a file. In the following example you are filtering out port 80 traffic:
netstat -ano | find /c "80"or
netstat -ano | find /i /c ":80"For eg:
C:\Users\Administrator>netstat -ano | find /i /c ":80"
383629The following command will give you the amount of connections on a specific IP
netstat -ano | find /i /c "IP"Identify all of the connections on the server:
netstat -n -p tcpFind the IP address which is having maximum number of connection and block it using Cisco firewall or IPSec. Another protective measurement is to harden the TCP/IP stack.
How to block the IP address using IP security?
Step 1: Click Start > Click Run > Type secpol.msc
Step 2: Now in the left side you will see IP security policies on local computer
Step 3: Right Click > Create IP security policy > Click Next in IP security policy Wizard
Step 4: In the Name field give your Policy name and type a description.
Step 5: Click Next > Leave activate ticked > Click Next
Step 6: Leave the edit properties ticked > Click Finish
Step 7: You will get the properties window > Click ADD > Click Next to continue.
Step 8: Leave This rule does not specify a tunnel selected > Click Next
Step 9: Leave all network connections selected > Click Next
Step 10: You will now be on the IP filter list. You need to create a new filter, so don’t select any of the default ones. Click ADD
Step 11: Type a Name for your list, say Blacklist >Type a description,it can be same as name > Click ADD > Click Next to continue.
Step 12: In the description box type a description. As its the first IP you are blocking say IP Blacklist 1 > Leave ticked the Mirrored > Click Next
Step 13: The Source address should be left as Specific IP address > Give the IP address having the attack >Click Next
Step 14: In IP traffic destination select A Specific IP address or A Specific Subnet for the Destination address.
Type in the IP address you want to block and if blocking a subnet type in the subnet block. Click Next.
Step 15: Leave the protocol type as Any > Click Next > Finish
Step 16: Right click on the Policy and Click Assign.
Step 17: Restart Ipsec service :
Start > Run > type services.msc > Select Ipsec services > Click Restart
or you can block directly through cmd with following command:
Block a single IP (or subnet*)
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=/32 *You will need to change the mask “/32” with the actual subnet mask to block the entire subnet.
For eg. (using IP 192.168.1.11) :
netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=192.168.1.11/32Block a list of IPs/subnets
– You will first need to create your list of IPs/subnet in a plain text file, one entry per line and name it as “ips.txt”
– Then, run the following command under the same location where your file “ips.txt” has been saved
for /f %i in (ips.txt) do echo netsh advfirewall firewall add rule name="Block %i" dir=in protocol=any action=block remoteip=%iblock specific port
if you do not want to use a specific port, You can use this command
netsh advfirewall firewall add rule name="3306" protocol=TCP dir=in localport=3306 action=blockWish you luck :)
A hard worker and hired as a SysAdmin by various hosting provider. I am just a wanderer on a "black screen"