• Am I being DDosed?
    9 replies, posted
Need a little advice, Am I being attacked? Our server has been going up and down for days now and we're trying to establish whether it's an attack or not, I've never dealt with this before but here is what shows from the netstat command: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\AWalker>netstat Active Connections Proto Local Address Foreign Address State TCP 213.229.65.170:3389 adsl-83-100-203-24:63066 ESTABLISHED TCP 213.229.65.170:50064 209.85.148.147:https TIME_WAIT TCP 213.229.65.170:50065 209.85.148.147:https ESTABLISHED TCP 213.229.65.170:50066 209.85.148.147:http ESTABLISHED TCP 213.229.65.170:50067 209.85.148.147:http ESTABLISHED TCP 213.229.65.170:50068 209.85.148.147:http ESTABLISHED TCP 213.229.65.170:50069 209.85.148.147:http ESTABLISHED TCP 213.229.65.170:50070 209.85.148.103:http ESTABLISHED TCP 213.229.65.170:50071 ww-in-f104:http ESTABLISHED TCP 213.229.65.170:50072 ww-in-f147:http ESTABLISHED TCP 213.229.65.170:50073 209.85.148.147:http ESTABLISHED TCP 213.229.65.170:50074 68.142.116.179:27017 ESTABLISHED TCP 213.229.65.170:50081 cdce:http ESTABLISHED TCP 213.229.65.170:50082 209.85.148.148:http ESTABLISHED TCP 213.229.65.170:50083 209.85.148.102:http ESTABLISHED TCP 213.229.65.170:50087 209.85.148.148:http ESTABLISHED TCP 213.229.65.170:50088 209.85.148.102:http ESTABLISHED TCP 213.229.65.170:50089 cdce:http ESTABLISHED TCP 213.229.65.170:50090 cdce:http ESTABLISHED TCP 213.229.65.170:50091 cdce:http ESTABLISHED TCP 213.229.65.170:50092 cdce:http ESTABLISHED TCP 213.229.65.170:50093 cdce:http ESTABLISHED TCP 213.229.65.170:50097 a92-122-127-9:http ESTABLISHED TCP 213.229.65.170:50098 2.18.127.139:http ESTABLISHED TCP 213.229.65.170:50100 69.167.143.172:http ESTABLISHED TCP 213.229.65.170:50101 69.167.143.172:http ESTABLISHED TCP 213.229.65.170:50102 a92-122-126-226:http ESTABLISHED TCP 213.229.65.170:50104 a92-122-126-234:http ESTABLISHED TCP 213.229.65.170:50105 a92-122-126-219:http ESTABLISHED TCP 213.229.65.170:50108 LB150:http CLOSE_WAIT TCP 213.229.65.170:50109 www-15-01-ash2:http ESTABLISHED TCP 213.229.65.170:50110 209.85.148.149:http ESTABLISHED TCP 213.229.65.170:50111 209.85.148.149:http ESTABLISHED TCP 213.229.65.170:50112 209.85.148.149:http ESTABLISHED TCP 213.229.65.170:50114 209.85.148.113:http ESTABLISHED TCP 213.229.65.170:50115 a92-122-126-217:http ESTABLISHED TCP 213.229.65.170:50116 a92-122-127-19:http ESTABLISHED TCP 213.229.65.170:50118 a92-122-126-248:http ESTABLISHED TCP 213.229.65.170:50119 a92-122-126-250:http ESTABLISHED C:\Users\AWalker>netstat Active Connections Proto Local Address Foreign Address State TCP 213.229.65.170:3389 adsl-83-100-203-24:63073 ESTABLISHED TCP 213.229.65.170:50074 68.142.116.179:27017 ESTABLISHED TCP 213.229.65.170:50087 209.85.148.148:http ESTABLISHED TCP 213.229.65.170:50097 a92-122-127-9:http ESTABLISHED TCP 213.229.65.170:50098 2.18.127.139:http ESTABLISHED TCP 213.229.65.170:50102 a92-122-126-226:http ESTABLISHED TCP 213.229.65.170:50104 a92-122-126-234:http ESTABLISHED TCP 213.229.65.170:50105 a92-122-126-219:http ESTABLISHED TCP 213.229.65.170:50109 www-15-01-ash2:http ESTABLISHED TCP 213.229.65.170:50115 a92-122-126-217:http ESTABLISHED TCP 213.229.65.170:50118 a92-122-126-248:http ESTABLISHED TCP 213.229.65.170:50119 a92-122-126-250:http ESTABLISHED C:\Users\AWalker>netstat -noa Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 676 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1324 TCP 0.0.0.0:10011 0.0.0.0:0 LISTENING 2028 TCP 0.0.0.0:30033 0.0.0.0:0 LISTENING 2028 TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 384 TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 768 TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 808 TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 480 TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 472 TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1356 TCP 213.229.65.170:139 0.0.0.0:0 LISTENING 4 TCP 213.229.65.170:3389 83.100.203.24:63073 ESTABLISHED 1324 TCP 213.229.65.170:27015 0.0.0.0:0 LISTENING 2924 TCP 213.229.65.170:50074 68.142.116.179:27017 ESTABLISHED 2924 TCP 213.229.65.170:50087 209.85.148.148:80 ESTABLISHED 2948 TCP 213.229.65.170:50097 92.122.127.9:80 TIME_WAIT 0 TCP 213.229.65.170:50098 2.18.127.139:80 TIME_WAIT 0 TCP 213.229.65.170:50102 92.122.126.226:80 TIME_WAIT 0 TCP 213.229.65.170:50104 92.122.126.234:80 TIME_WAIT 0 TCP 213.229.65.170:50105 92.122.126.219:80 TIME_WAIT 0 TCP 213.229.65.170:50109 69.63.189.34:80 TIME_WAIT 0 TCP 213.229.65.170:50115 92.122.126.217:80 TIME_WAIT 0 TCP 213.229.65.170:50118 92.122.126.248:80 TIME_WAIT 0 TCP 213.229.65.170:50119 92.122.126.250:80 TIME_WAIT 0 TCP 213.229.65.170:50124 2.19.223.139:80 ESTABLISHED 2948 TCP 213.229.65.170:50125 209.85.229.101:80 ESTABLISHED 2948 TCP 213.229.65.170:50126 209.85.229.101:80 ESTABLISHED 2948 TCP 213.229.65.170:50127 69.167.143.172:80 ESTABLISHED 2948 TCP 213.229.65.170:50128 69.167.143.172:80 ESTABLISHED 2948 TCP 213.229.65.170:50129 92.123.154.98:80 ESTABLISHED 2948 TCP 213.229.65.170:50134 69.63.189.31:80 ESTABLISHED 2948 TCP 213.229.65.170:50137 209.85.143.148:80 ESTABLISHED 2948 TCP 213.229.65.170:50138 209.85.143.148:80 ESTABLISHED 2948 TCP 213.229.65.170:50140 209.85.227.138:80 ESTABLISHED 2948 TCP 213.229.65.170:50144 64.124.194.46:80 TIME_WAIT 0 TCP 213.229.65.170:50149 92.123.154.73:80 ESTABLISHED 2948 TCP 213.229.65.170:50152 188.40.78.141:80 TIME_WAIT 0 TCP 213.229.65.170:50153 69.167.156.26:80 ESTABLISHED 2948 TCP 213.229.65.170:50154 64.124.194.46:80 CLOSE_WAIT 2948 TCP 213.229.65.170:50155 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50157 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50159 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50160 184.106.37.59:80 ESTABLISHED 2948 TCP 213.229.65.170:50164 94.23.121.26:80 TIME_WAIT 0 TCP 213.229.65.170:50167 74.123.148.72:80 ESTABLISHED 2948 TCP 213.229.65.170:50180 75.126.153.206:80 ESTABLISHED 2948 TCP 213.229.65.170:50181 75.126.153.206:80 ESTABLISHED 2948 TCP 213.229.65.170:50183 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50184 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50185 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50186 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50192 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50193 75.126.153.210:80 ESTABLISHED 2948 TCP 213.229.65.170:50194 209.85.143.155:80 ESTABLISHED 2948 TCP 213.229.65.170:50195 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50196 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50197 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50198 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50199 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50200 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50201 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50202 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50203 2.20.28.74:80 ESTABLISHED 2948 TCP 213.229.65.170:50204 92.123.154.72:80 ESTABLISHED 2948 TCP 213.229.65.170:50205 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50206 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50207 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50208 8.18.45.80:80 ESTABLISHED 2948 TCP 213.229.65.170:50209 8.18.45.81:80 ESTABLISHED 2948 TCP 213.229.65.170:50210 92.123.154.83:80 ESTABLISHED 2948 TCP 213.229.65.170:50211 209.85.227.138:80 ESTABLISHED 2948 TCP 213.229.65.170:50212 75.126.153.210:80 ESTABLISHED 2948 TCP 213.229.65.170:50213 204.11.109.22:80 ESTABLISHED 2948 TCP 213.229.65.170:50214 204.11.109.22:80 ESTABLISHED 2948 TCP 213.229.65.170:50215 204.11.109.24:80 ESTABLISHED 2948 TCP 213.229.65.170:50216 204.11.109.24:80 ESTABLISHED 2948 TCP 213.229.65.170:50217 92.123.154.57:80 ESTABLISHED 2948 TCP 213.229.65.170:50219 74.200.246.228:80 ESTABLISHED 2948 TCP 213.229.65.170:50220 68.67.185.211:80 ESTABLISHED 2948 TCP 213.229.65.170:50222 205.209.52.100:80 ESTABLISHED 2948 TCP 213.229.65.170:50223 93.184.220.20:80 ESTABLISHED 2948 TCP [::]:135 [::]:0 LISTENING 676 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:3389 [::]:0 LISTENING 1324 TCP [::]:47001 [::]:0 LISTENING 4 TCP [::]:49152 [::]:0 LISTENING 384 TCP [::]:49153 [::]:0 LISTENING 768 TCP [::]:49154 [::]:0 LISTENING 808 TCP [::]:49155 [::]:0 LISTENING 480 TCP [::]:49156 [::]:0 LISTENING 472 TCP [::]:49157 [::]:0 LISTENING 1356 UDP 0.0.0.0:500 *:* 808 UDP 0.0.0.0:1000 *:* 2028 UDP 0.0.0.0:4500 *:* 808 UDP 0.0.0.0:5355 *:* 940 UDP 0.0.0.0:26901 *:* 2924 UDP 0.0.0.0:27005 *:* 2924 UDP 0.0.0.0:27015 *:* 2924 UDP 0.0.0.0:27020 *:* 2924 UDP 0.0.0.0:50443 *:* 2028 UDP 213.229.65.170:137 *:* 4 UDP 213.229.65.170:138 *:* 4 UDP [::]:500 *:* 808 UDP [::]:4500 *:* 808 C:\Users\AWalker>netstat -noa Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 676 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1324 TCP 0.0.0.0:10011 0.0.0.0:0 LISTENING 2028 TCP 0.0.0.0:30033 0.0.0.0:0 LISTENING 2028 TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 384 TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 768 TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 808 TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 480 TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 472 TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1356 TCP 213.229.65.170:139 0.0.0.0:0 LISTENING 4 TCP 213.229.65.170:3389 83.100.203.24:63073 ESTABLISHED 1324 TCP 213.229.65.170:27015 0.0.0.0:0 LISTENING 2924 TCP 213.229.65.170:50074 68.142.116.179:27017 ESTABLISHED 2924 TCP 213.229.65.170:50087 209.85.148.148:80 ESTABLISHED 2948 TCP 213.229.65.170:50124 2.19.223.139:80 ESTABLISHED 2948 TCP 213.229.65.170:50125 209.85.229.101:80 ESTABLISHED 2948 TCP 213.229.65.170:50126 209.85.229.101:80 ESTABLISHED 2948 TCP 213.229.65.170:50134 69.63.189.31:80 ESTABLISHED 2948 TCP 213.229.65.170:50137 209.85.143.148:80 ESTABLISHED 2948 TCP 213.229.65.170:50138 209.85.143.148:80 ESTABLISHED 2948 TCP 213.229.65.170:50140 209.85.227.138:80 ESTABLISHED 2948 TCP 213.229.65.170:50152 188.40.78.141:80 TIME_WAIT 0 TCP 213.229.65.170:50153 69.167.156.26:80 TIME_WAIT 0 TCP 213.229.65.170:50155 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50157 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50159 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50160 184.106.37.59:80 TIME_WAIT 0 TCP 213.229.65.170:50164 94.23.121.26:80 TIME_WAIT 0 TCP 213.229.65.170:50167 74.123.148.72:80 ESTABLISHED 2948 TCP 213.229.65.170:50183 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50184 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50185 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50186 173.194.37.104:80 ESTABLISHED 2948 TCP 213.229.65.170:50192 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50194 209.85.143.155:80 ESTABLISHED 2948 TCP 213.229.65.170:50195 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50196 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50197 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50198 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50199 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50200 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50201 92.123.154.215:80 ESTABLISHED 2948 TCP 213.229.65.170:50202 92.123.154.91:80 ESTABLISHED 2948 TCP 213.229.65.170:50203 2.20.28.74:80 ESTABLISHED 2948 TCP 213.229.65.170:50204 92.123.154.72:80 ESTABLISHED 2948 TCP 213.229.65.170:50205 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50206 209.85.143.165:80 ESTABLISHED 2948 TCP 213.229.65.170:50207 209.85.143.165:80 TIME_WAIT 0 TCP 213.229.65.170:50208 8.18.45.80:80 ESTABLISHED 2948 TCP 213.229.65.170:50209 8.18.45.81:80 ESTABLISHED 2948 TCP 213.229.65.170:50210 92.123.154.83:80 ESTABLISHED 2948 TCP 213.229.65.170:50211 209.85.227.138:80 ESTABLISHED 2948 TCP 213.229.65.170:50213 204.11.109.22:80 ESTABLISHED 2948 TCP 213.229.65.170:50215 204.11.109.24:80 ESTABLISHED 2948 TCP 213.229.65.170:50217 92.123.154.57:80 ESTABLISHED 2948 TCP [::]:135 [::]:0 LISTENING 676 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:3389 [::]:0 LISTENING 1324 TCP [::]:47001 [::]:0 LISTENING 4 TCP [::]:49152 [::]:0 LISTENING 384 TCP [::]:49153 [::]:0 LISTENING 768 TCP [::]:49154 [::]:0 LISTENING 808 TCP [::]:49155 [::]:0 LISTENING 480 TCP [::]:49156 [::]:0 LISTENING 472 TCP [::]:49157 [::]:0 LISTENING 1356 UDP 0.0.0.0:500 *:* 808 UDP 0.0.0.0:1000 *:* 2028 UDP 0.0.0.0:4500 *:* 808 UDP 0.0.0.0:5355 *:* 940 UDP 0.0.0.0:26901 *:* 2924 UDP 0.0.0.0:27005 *:* 2924 UDP 0.0.0.0:27015 *:* 2924 UDP 0.0.0.0:27020 *:* 2924 UDP 0.0.0.0:50443 *:* 2028 UDP 213.229.65.170:137 *:* 4 UDP 213.229.65.170:138 *:* 4 UDP [::]:500 *:* 808 UDP [::]:4500 *:* 808 [b]It's smoothened out now and I did the command again.[/b] Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\AWalker>netstat Active Connections Proto Local Address Foreign Address State TCP 213.229.65.170:3389 adsl-83-100-203-24:63370 ESTABLISHED C:\Users\AWalker>netstat -ano Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 676 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1324 TCP 0.0.0.0:10011 0.0.0.0:0 LISTENING 2028 TCP 0.0.0.0:30033 0.0.0.0:0 LISTENING 2028 TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 384 TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 768 TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 808 TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 480 TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 472 TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 1356 TCP 213.229.65.170:139 0.0.0.0:0 LISTENING 4 TCP 213.229.65.170:3389 83.100.203.24:63370 ESTABLISHED 1324 TCP [::]:135 [::]:0 LISTENING 676 TCP [::]:445 [::]:0 LISTENING 4 TCP [::]:3389 [::]:0 LISTENING 1324 TCP [::]:47001 [::]:0 LISTENING 4 TCP [::]:49152 [::]:0 LISTENING 384 TCP [::]:49153 [::]:0 LISTENING 768 TCP [::]:49154 [::]:0 LISTENING 808 TCP [::]:49155 [::]:0 LISTENING 480 TCP [::]:49156 [::]:0 LISTENING 472 TCP [::]:49157 [::]:0 LISTENING 1356 UDP 0.0.0.0:500 *:* 808 UDP 0.0.0.0:1000 *:* 2028 UDP 0.0.0.0:4500 *:* 808 UDP 0.0.0.0:5355 *:* 940 UDP 0.0.0.0:50443 *:* 2028 UDP 213.229.65.170:137 *:* 4 UDP 213.229.65.170:138 *:* 4 UDP [::]:500 *:* 808 UDP [::]:4500 *:* 808 C:\Users\AWalker>
Looks like a DoS to me with all the connections from 213.229.65.170, just ban him with a firewall (even windows firewall should do) [editline]2nd January 2011[/editline] Or you could block him in the router, its supported by most routers
There is no web server running on it, Just a Gmod server and TeamSpeak 3 yet this keeps happening, I can hardly get on it at the minute and has been going mental all night, Earlier I could do the netstat, Now i hardly have a break to get on the remote desktop. And where would I find the thing in windows firewall. Oh and the 213.229.65.170 is the servers ip :lol: I think the foreign address is the bit to look at.
Don't know they can't get on port 80 because no web service is running, One of the ip's goes to some russian shop, [url]http://www.9774444.ru/[/url] What do I block them with.
Block them with IPSec, google'll tell you how.
[QUOTE=Humberside;27160438]There is no web server running on it, Just a Gmod server and TeamSpeak 3 yet this keeps happening, I can hardly get on it at the minute and has been going mental all night, Earlier I could do the netstat, Now i hardly have a break to get on the remote desktop. And where would I find the thing in windows firewall. Oh and the 213.229.65.170 is the servers ip :lol: I think the foreign address is the bit to look at.[/QUOTE] :suicide: If you dont even have a webserver running its deffinantly a DDoS, block the whole port
Ok, I have put Windows Firewall on, Is it right that on Domain Profile Inbound connections that do not match a rule are blocked and outbound connections that do not match a rule are allowed.
Anyone here an expert in this that could sort it out for me, it's still happening.
Sorry, you need to Log In to post a reply to this thread.