StellarTech Blog

So you get the call from a client that their MS Windows server isn’t responding and it’s been randomly crashing as of late. If you are not seeing anything in eventvwr.msc your first instinct might be to grab a few sticks of RAM and a couple of diagnostic disks. Wait! Don’t forget to check for a DDoS/DoS attack. I’ve seen many cases where customers and clients have missed diagnosed a denial of service attack for a hardware problem when confirmation is just a netstat command away.

If you don’t have any network graphs available and surmising that the machine is available either through IP-over-KVM or you have physical access you can run the following command:
C:\> netstat -an | sort /+33

This will sort connections by the connecting IP. If you see a hundreds of concurrent connections from one IP and and the connections statuses are all syn_received, fin_wait, or time_wait then you probably have a denial of service going on.

As you can see MSSQL port 1433 is getting hammered. It’s always wise to firewall off ports like 1433 so that they are not exposed to the world.

Another fun way to verify a DoS attack, assuming you have a monitor/crash cart on the server, is to simple unplug the network cable. If the server instantly recovers and becomes responsive you’ve found the problem. Now it’s time to use you’re firewall kung-fu and deny the IP from further access.

Below are a few other helpful information gathering commands.

Find out what IPs are sending syn_received flags to your server on http 80. Any flag can go here.
C:\> netstat -an | findstr /i ":80.*syn_received$"

Get a count of how many times 111.222.333.444 is connecting to smtp 25.
C:\> netstat -an | find ":25 " | find /c "111.222.333.444"

It never hurts to do a little prevention by firewalling off any service that doesn’t need to touch the Internet and harden that TCP/IP stack.

Having intermittent problems hitting your favorite UNC path over openvpn? Does your Domain Controller turn it’s back on you randomly over the tunnel asking for authentication as if it no longer knows who you are?

If you have been plagued by any of the above anomalies you are not alone! Unfortunately hair loss products, Viagra, those vitamins you bought from GNC, or any other magical elixir of some unknown origin will not help.


You may even find yourself going down the same foolhardy path as yours truly. Thinking that editing %SystemRoot%\System32\Drivers\etc\hosts with the FQDN and NetBIOS names of all your favorite hosts will suffice only to be greeted with the grotesqueness of an authentication prompt repeatedly prompting you for information it should already know until you become mad. Finding yourself breaking out those emergency cyanide pills and washing them down with a flask of hemlock.

Wait friend! No need for such drastic measures yet. Simply edit your servers config file to include the following:
push "dhcp-option DNS ip.of.dc"

Make sure your client config allows pushing by having the following cleverly named setting of:
pull

Now once you’ve restarted your server and client you should see your DC IP set as the default name server when typing ‘nslookup’ at the command line.

Yes a simply fix but still worthy enough to stop any self mutilation.

Vista is just chalked full of surprises. I’ve been using it since it was first released and still more truths surface about it’s horrific visage silently hiding underneath it’s resource hungry interface. Waiting for an inconvenient moment to make itself known.

One such surprise was to discover that hyper terminal was no longer a part of Windows. While this software doesn’t get used as much as say solitaire, it does come in handy to configure ASAs and other serial devices.

After I made this discovery I cried for a few minutes and then finally got around to learning how to do the same thing with putty due to the necessity of my current predicament. A Cisco ASA 5505 needed some serial love and hyper terminal was no where to be found. Procrastination would just have to wait. ** insert rimshot here **

Using putty turned out to be straight forward and just as easy as hyper terminal which sucked anyway. You can start by opening putty, click Session, select the Serial option, leave speed at 9600, and enter in the COM port.

Next click “Serial” underneath “Connections”. All of the defaults are good with the exception of flow control. Set this option to none.

Finally click open and power on the device. Horray for putty!

It is fairly common knowledge among IT professionals that the Windows command line is fairly weak. While PowerShell looks promising it will not be installed by default until Windows Server 08 R2.

It’s alright though since the CLI in Windows isn’t as shabby as it is obscure. Take for example findstr and find. While not as powerful as it’s nix big brother ‘grep’, findstr does a fairly good job and even support regexp. Here are a few handy examples of both commands in action:

finding possible ddos attack to port 80:
netstat -ano | sort /+33 | find ":80 " | more