How to check Denial of Service Attacks


Attackers use DDoS attacks for killing server performance.


Your website and server performance get slow and you may get "Service Unavailable or Timeout error" if there is any attack on your server.


If you are using Windows services, ensure that Windows Firewall is enabled on your server.


Run the below commands in Windows server >> command prompt (CMD) to check a number of connections to your server.


To display all the connections:

netstat -an

netstat -ano | find ":"


To check total connections:

Netstat -ano | find ":" /c


To check total connections on port 80 and 443.

netstat -ano | find ":80" /c

netstat -ano | find ":443" /c


To display all the connections to port 80 and 443 with IP address:

netstat -ano | find ":80"  

netstat -ano | find ":443"


Change the port number to a different port in above command, to check a number of connections to other ports.


You can also check the server connections logs in: C:\inetpub\logs\LogFiles\ path.


If you find more connections from particular IP address or Port number you can block the same using Windows Firewall.


Run the below command to block any IP in windows firewall.


netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=<IP_Address>/32


To block other IP address, in RDP go to Windows Firewall with Advanced Security >> Click on Inbound Rules >> Double Click on "IP Block" rule


Click on Scope >> Under "Remote IP Address" add the IP from which you are getting more connections and click on "OK"


If you find more connections on a specific port, you can restrict the connection by creating a new rule in  "Windows Firewall with Advanced Security" for a specific port.


Please refer the URL: for more details about Windows Firewall with Advanced Security.


In Linux Server:


Run the below command to list of open connections to the server and sorts them by amount.


netstat -na |awk '{print $5}' |cut -d "." -f1,2,3,4 |sort |uniq -c |sort -n


You can also check a number of connections by running the following commands:


netstat -plan | grep :80 | awk '{print $4 }' | sort -n | uniq -c | sort




netstat -n | grep ':80' | awk -F' ' '{print $5}' | awk -F':' '{print $1}' | sort | uniq -c | sort -n


These are few step to be taken when you feel the server is under attack:


Step 1: Check the load using the command "w".

Step 2: Check which service is utilizing maximum CPU by "nice top".

Step 3: Check which IP is taking maximum connection by

netstat -anpl|grep :80|awk {'print $5'}|cut -d":" -f1|sort|uniq -c|sort -n

Step 4: Then block the IP using firewall (csf or iptables "csf -d < IP>" )


You can also implement security features in your server like:


1) Install apache modules like mod_dosevasive and mod_security in your server.

2) Configure  CSF and IPTABLES to reduce the DDOS

3) Configure sysctl parameters in your server to drop attacks.