How to find DoS attack source IP address in windows server 2008?

I have a windows server 2008 R2 which is victim of a DoS attack. How can I find out which IP is the source of attack?

I have a anti DoS module on IIS 7.0 which works fine but it seems destination is not port 80 and the attack is blind (Attacker has attacked some IP addresses which are not mine) and just consumes my bandwidth. I have a 1000 Mbps network card which is fully utilized by attacker so he have at least a server with 1000 Mbps. I have unmetered bandwidth on this data center but security support is awful.

I have tried 'TCPView' to find more details but server freezes when the attack is started because of high CPU usage (100%).

Is there any software solution for this problem? how can I distinguish attacker IP address from normal users (connections with high transfer rate)?

Xaqron

Posted 2011-08-02T13:26:14.140

Reputation: 148

Do you have some kind of firewall in the way (if so, what model?), or just the software firewall? Is it sitting out on the Internet, or NAT'ted? Do you need any other ports open other than 80? – KCotreau – 2011-08-02T13:29:54.987

Answers

Any DoS attack worth caring about is going to have a lot more than just one IP address behind it. If one IP is causing you trouble, something isn't set up right. Which brings me to part two...

IIS and even the operating system is the wrong place to worry about this kind of attack. You want a firewall or gateway security appliance that can detect and block the traffic at the level, before it ever reaches your server.

Joel Coehoorn

Posted 2011-08-02T13:26:14.140

Reputation: 26 787

+1 I was wondering if it was like a lot of these cloud services, where the VM basically has no hardware firewall to drop such connections in the first place. – KCotreau – 2011-08-02T13:40:39.580

+1 You right. It was a DDoS attack. – Xaqron – 2011-08-02T17:04:56.160

If you really think it is DoS (and not a DDoS, where the source IPs of the attackers are different), then you can use this command to quickly view the network connections on the server:

netstat -an

Vinay Kudithipudi

Posted 2011-08-02T13:26:14.140

Reputation: 53

And if there are 200 normal users on the server how can I found the bandwidth usage and find the attacker from normal users? – Xaqron – 2011-08-02T13:50:38.817