Someone's trying to flood our server
We have Windows 2000 server, IIS 5 SP3 with all current hotfixes. We have around 600 sites running on it. We also implemented IP filtering. Our open ports are 20, 21, 80, 443, 1433 and 3389. Recently, we have been having problems with someone trying to flood our server. Our ports get stopped one by one. I am unable to connect using Terminal Services, and I don't have any other solutions besides physically rebooting it.
Welcome to the world of DoS (denial of service) attacks, or maybe it's a DDoS (distributed denial of service) attack. These attacks do not just affect Windows 2000/IIS. Any Web server, any network, can be subjected to them. There are some things you can do, including hardening your TCP/IP stack to make it more resistant, attempting to determine the source of the flooding and asking your ISP to block traffic from those networks, and, of course, asking them to ask upstream ISP to do the same. Some large sites add extra bandwidth to deal with these attacks. You also need to find out if this is an attack against you or merely a general attack. What is the nature of the attack? What do your logs say? Are others experiencing these attacks? Are you sure the attacks are coming from outside your network? DDoS attacks work by taking over other systems and using them to attack. These "slave" systems, or "bots," could be inside your internal network. Are they? Here are some references that might help you:
Best practices for preventing DoS
Or click here for another viewpoint, but you'll have to register to view the document.
This was first published in January 2003