2

I recently was notified by my monitoring service that a few Windows 2008 servers (hyper-v instances) were down.

I logged into the Hyper-V box and noticed everything was super slow. I opened task manager and saw that while CPU and RAM were fine, network utilization on our "Public" NIC was at 99%.

This lasted for about 10 minutes, during which time I found that disabling inbound connections for one of the servers caused the network saturation to drop to normal levels. I disabled that server's inbound connections to allow the other servers to operate, and eventually the traffic went away.

I suspect this was a DDOS or regular Denial of Service attack, but it seems pretty random. The server in question is very low visibility and not a lot of value would come from someone taking it down.

What would be the best way to tell if I am experiencing a DDOS attack? Is there anything else that you could think of that would cause this, and, if so, what should I look for?

EDIT: This happened again. I tried netstat -noa but didn't see anything useful. I was hoping there was some command or program I could run that would show me how much bandwidth each IP is using (i.e., it says network utilization is 100%, but how does that add up). Does anything like that exist?

Adam Brand
  • 6,057
  • 2
  • 28
  • 40

3 Answers3

2

May be this will help?

Detecting DoS / DDoS Attack on a Windows 2003 / 2008 Server

netstat is a command line utility which displays protocol statistics and current TCP/IP network connections in a system. Type the following command to see all connections:

netstat -noa

Where,

  1. n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  2. o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager.
  3. a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
Community
  • 1
  • This would help if you have an active attack condition. Not later. It would have really helped to predict such attacks and keep the inbound traffic mirrored into a 1TB rolling packet-capture for that matter ;-) – nik Jul 14 '09 at 04:59
1

Servers are usually DoS'ed with connections rather than packets.
So, a full utilization of the network path is not always necessary.

If yours was a DDoS/DoS, it should have tripped your IDS in the inbound path (assuming you have one).

Since you say it was a low visiblity web server, could it be someone inside or outside your enterprise mirroring it with a full rate wget kind of activity? That would choke your HyperV system if you have sufficient bandwidth on you uplink. It would also explain a short lived 'attack'.

nik
  • 7,040
  • 2
  • 24
  • 30
  • Well that's the strange thing...the IIS logs aren't any larger than normal...so I don't think it was a bunch of http connections. This particular system is login protected (asp.net security), so wget wouldn't be easy to do. We have a 10 mbit inbound connection dedicated to this server (from our ISP, it is a hosted server). There isn't an IDS in place. – Adam Brand Jul 14 '09 at 02:49
  • Can you confirm that the high network activity was definitely from outside your network (that is, from the uplink) and there are no failed-communications logs in your Windows server? Things like Conficker are known to attempt a large-scale exploit attempt. Yet, based on what you have said, I doubt Conficker itself is involved here. – nik Jul 14 '09 at 03:04
  • Yes, it was definitely from outside, and inbound. If I disabled inbound traffic (but not outbound) to that IP, things went back to normal. What do you mean by "failed-communication logs"? Where would those be? – Adam Brand Jul 14 '09 at 14:38
  • @Adam, I was referring to things like EventLog messages that indicate a login attemt was made with well known ID strings (like admin, root, etc) registered on your windows server `%SystemRoot%\system32\eventvwr.msc /s` security logs. – nik Jul 14 '09 at 16:07
  • Did you try to capture any part of this traffic to see its nature? I ask because you were around when the problem occurred. A capture helps a lot in identifying what was really happening (see my other exaggerated comment about the 1TB rolling capture). – nik Jul 14 '09 at 16:09
  • Sorry for the late reply...how would you recommend capturing the traffic within a Hyper-V environment? Would Wireshark work do you think? – Adam Brand Jul 20 '09 at 21:54
  • I have used wireshark (tshark) on VMWare machines. But, not on Hyper-V. Guess it should. – nik Jul 21 '09 at 03:29
1

I found the following in Windows Server 2008 TCP/IP Protocols and Services.

To see a SYN attack in progress on a computer running Windows Server 2008 or Windows Vista, use the Netstat.exe tool at a command prompt to display the active TCP connections. For example:

alt text

This is an example of a SYN attack. There are a number of TCP connections in the SYN_ RECEIVED state, and the foreign address is a spoofed private address with incrementally increasing TCP port numbers. The SYN_RECEIVED is the state of a TCP connection that has received a SYN, sent a SYN-ACK, and is waiting for the final ACK.

which is confusing, because later on it says:

TCP in Windows Server 2008 and Windows Vista use SYN attack protection to prevent a SYN attack from overwhelming the computer.

...so if that is the case, how would the above command help?

Community
  • 1
Adam Brand
  • 6,057
  • 2
  • 28
  • 40