I have a Windows Server 2012 R2 IIS web server, running on VMWare esxi 5.5, hosting multiple websites with different IP addresses. This server recently has been refusing connections randomly across all websites. When the server stops accepting connections, there are tons of SYN_RECEIVED entries in netstat. Sometimes from the same IP address across all the hosted IP addresses other times from different IP addresses but a lot more of them. These entries sit for a while and then will disappear (assuming a timeout period is reached).
I've read this is probably a SYN flood attack, but that Windows is supposed to have a built in way of handling these attacks. I looked at this article, https://blogs.technet.microsoft.com/nettracer/2010/06/01/syn-attack-protection-on-windows-vista-windows-2008-windows-7-windows-2008-r2-windows-88-1-windows-2012-and-windows-2012-r2/, and did a netsh trace, but there's nothing in the logs that indicate SYN attack protection has been initiated. This makes me wonder whether SYN attack protection is working. The web server does have the built in Windows firewall disabled. Could that cause the SYN attack protection to be disabled?
I also read that increasing the server resources could help. I doubled the CPU and RAM for the virtual machine, but this problem still crops up every week. Usually for a day and then goes back to normal. When the server stops responding to connections, netstat will be filled with a bunch of SYN_RECEIVED entries and it will take several minutes to complete. At this time the CPU usage is really low, around 5-10%, and the RAM usage is half of what is available. After the suspected attack, netstat will return all the results in a few seconds.
How can I stop this connection refused thing from happening? Any tips or tricks? Does the disabled windows firewall have something to do with the mitigating the attacks.
Best Answer
I think this is difficult to stop at your Windows machine.
You should ensure you have a firewall, if not on the Windows host then certainly at the boundary.
I have successfully monitored connections on a Linux machine to identify unconventional behaviour like a SYN flood (which the linux kernel has some options for coping with, connecting from unusual ports (making connections from port 80/443 rather than to it for example), and so on, then flagging these and implementing a block in the firewall for the offending addresses.
On a Windows machine you could probably monitor the event log for information about this, and then manipulate the system firewall, but I think it's going to be harder and less reliable that using Linux where doing this fits with the kernel design.
If you wanted to try and do it in the kernel you would need to write a kernel mode driver to inspect packets, which is likley to be difficult and time consuming.
If you need to run your hosts under Windows, you might investigate whether you could setup a Linux machine which could filter the traffic and act as the network boundary.
And make sure that there is a firewall somewhere!