Kas Ob.

One small addition to Remy detailed answer, There is zero guarantee that DllMain will be called from the the Main Thread or even the the same thread that called LoadLibrary ! So all bets are off using VCL, while RTL should be OK if thread safety used with it (locking/synchro..)

I never went above 0, for my personal usage and my recommendation for my clients, though some went for extra functionality and paid more. CF free plan is pretty damn good, and it does protect and isolate many if not all of these DoS or DDoS, from their infrastructure capability it is negligible for a site or two. Pretty good damn protection, as you don't even want to care or think about any attacks on all layers up to 5, to understand these and as reminder about layers refer to Wikipedia https://en.wikipedia.org/wiki/OSI_model#Layer_architecture Up layer 3 it is really hard to protect yourself, this involve many raw sockets and very low level networking which even harder on Windows without involving Drivers and Filter Drivers. as for 4 and 5, these are were CF can offload this huge pain in the back to manage, then you will be left with the last two layers 6 and 7, these are absolutely your job to protect against, to explain, if your server miss handling a JSON payload that cause a crash, or freeze .... these are your job as developer to handle and protect against. There is many can be written here, but i hope i gave a good start point to start your own research about these layers how things can go wrong with them, as Denial of Service (Dos) and Distributed DoS (DDoS), can be to deplete server resources or just cause havoc and instability for the service, in this case with Angus, the hackers were using DoS but after blocking by IPs they switched to DDoS, still the attack target itself is not clear for me, is it brute forcing a password or just scraping data or.... this must be handled by Angus, and again most cases need a login, hence session come to play, and delegate this to CF is nice, and please be careful here and don't confuse the session for the HTTP(s) CF established and your server session for logged/not logged aka your own server session, these are two different sessions, but can be combined or in other words co-exist and utilized. It is unlimited, at least from i witnessed, and yes it was wild traffic and CF chewed it like nothing for static/cached/cdn content and for dynamic, yet your server was hidden and relaxing. Also there is these features/APIs like https://www.cloudflare.com/application-services/solutions/api-security/ https://developers.cloudflare.com/api-shield/ You can have a look at these case-studies which i rarely trust or believe in almost even read, but with CF it is true and it is everywhere and doing it job, https://www.cloudflare.com/case-studies/ With that being said about CF, i used OVH and my own server redirections, OVH filtered DDoS attacks up to level 4, my server was free from needing to handle those, and for higher level i didn't use captcha but utilized some redirection, to filter out any bots, see most bots even the sophisticated ones can be fooled or identified by this redirection, redirect to a page on sub domain use your own headers and cookies then return them to another one, if you ever watched what Microsoft does for web Outlook/Hotmail login (it was their standard in not so long past), you will get the idea, though this practice is dying due to cross origin policy on browsers. Anyway, the whole thing of stopping such attacks will comes to identify what is their target, simply put the server/service out of work ? grabbing public data ? grabbing valuable data ? brute forcing to gain access ?.... for each case you need build a solution, But in general such just repeated http requests, CF will filter them out, most of them, see CF does know what each and every IP does and to whom it belongs, so VPN and proxies are the easiest to block. Also i wouldn't suggest to block IP(s) by /24, that is excessive, i always use limit per second per one IP no ranges, and combine it with minutes, the more ip connect and request the more delay to keep blocking and unblock after one hour no matter what, of course if the HTTP server is handling keep-connection right and doesn't trigger the auto block by dropping the connection itself, in other words will not allow HTTP/1.0 and old browsers, these will block them selves. Most valuable tool to identify and block is dynamic cookies, not static ones, for established connection dynamic is good, for new will be handled as suspect under provision, combining these with IP(s), see, let say /24 range so i can allow 255 different cookies for that range and start to block, even go after them all, but if one still having my cookie and updating it consequently then it is fine, but this include keep tracking cookies at least as the server is running, unless the login cookie is kept in DB then the infrastructure is there to expand and track them all.

Hi, Well there is nothing much i can suggest here that you already doesn't know, but i can give an idea, CloudFlare, this can stop it or at least remove %99 of these connections, this from experience, but of course you thought about that and didn't use for reason or two, also we known, My suggestion is utilize CloudFlare as a step, meaning redirect all connections into subdomain this sub domain is the one with CF or vice versa, i am trying to give you an idea about sieving the connection with CF, so it one of these as example(s) "->" means HTTP redirect 1) Your server on main domain -> subdomain on CF -> return main domain after checking cookies and what CF can offer here 2) Your main domain on CF -> your actual server on sub domain, after white listing the connection, 3) combine both (1) and (2) and use CF worker to handle whitelisting and let CF handle the blacklisting. Just thoughts and hope that helps.

Also i witnessed this behavior on many Windows and Linux servers hosted on dedicated servers, it is almost was the host problem or a specific ISP, you needed to study the dropped connections, if we are talking about dropped connection not accepted ones, does your host have some sort of DDoS protection, because it might be triggered on their hardware before your server by unrelated server attack happens to be the same switch and this could lead to such dropping/losing connection or refusing new connections for few minutes then everything come back as normal, and the load return to its normal. For this case, track and record the time of this and ask your host technical support to confirm if that is the case, also record these IP(s) refused or dropped connections, and try to geo locate them see if they belongs to one or more than one but close ISP(s).

Remy listed few things, and i will list more thought to follow on this, Windows OS has its own DDoS protection implemented, it almost useless or more like very naïve as any more advanced one will cause wide range of problems and require more advanced knowledge to tweak so Microsoft kept it as simple as possible with very limited settings to tweak, anyway 1) start with this link and see your dynamic port with "show dynamicport" before changing and adjusting https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting 2) It is disgusting how Microsoft manage to just lose links to 404, valuable information and documentation, for stupid site miss-manage, i have very little time to write and search and searching almost always land me on 404 !, found this though https://serverfault.com/questions/43252/how-can-i-harden-the-tcp-ip-stack-in-windows-server-2008 ECN can play a role, and there was some more registry settings , later will look for them if your couldn't find the problem, but in general more information is needed, like how many new connection established per second and average time for connection staying connected ...

@Roger Cigol Here another thing to try Download and run Api Monitor from http://www.rohitab.com/apimonitor Use the correct bit version with your EXE and put the filter as shown in this screenshot Run your exe or you can attach it at anytime, so you are not limited to monitor everything, you can leave the exe running alone until the problem manifest, then attach the monitor and capture the log. After capturing the log, compare it with log from your own device and see where the failure exist after that you can share with us important pieces of the failure. Give extra attention to the failed API calls and their passed parameters, this is important, also as the monitor log record the handles and result so a comparison might narrow the failure origin. Feel free to expand the the API logging list for your own running EXE and that one device, you might find it useful reporting many failed API or wrong doing or repeated calls, also you can record SyncObjs API like Low Level APIs eg.RtlCriticalSectionxxxx... Mutex,Events... like these

The blackout is striking again, two days out of power, now back to 3 hours on and something between 3-6 or even 9 hours off. Defender easily can do it and even worse. What is standout for me, is why it is not verified ?!! while other are OK, but yet it might not be a big deal https://security.stackexchange.com/questions/224829/does-a-lack-of-verified-signatures-for-windows-defender-indicate-malware https://learn.microsoft.com/en-us/archive/msdn-technet-forums/a7e41613-43aa-4c9b-b117-46d0f9420bf7#986960c6-d417-4747-8020-e06f3bf6e1fb As what could go wrong ? the answer here makes sense (pun intended) https://answers.microsoft.com/en-us/windows/forum/all/is-it-okay-if-the-windows-defender-service-is-not/2d1dbf86-06cc-4c5c-a415-75fa0b878cff So, as a theory, Sense at some point was allowed to upload samples in such case it could marked/flagged your application and may be your certificate too, and waiting for a response to either red or green flag it, in mean time it will be allowed to work under inspection with full logging/tracking/tracing up to a point where it deplete a specific amount of resources, it shouldn't be reaching such limit but it is, though it is a theory. Try to change the name of the EXE and how it does reach that device, i mean if you have self updating exe then override it, build a new exe with different paths if possible, and try again. OR, allow defender to take its samples if case it is misconfigured or had some policy changes, ask if someone tweaked defender, or even just try to stop it and restart it.

This is it a driver running out resource, either by being a buggy/outdated or it does belong to bigger software like an antivirus but the rest of the software is not there to continue processing something, it could be uninstalled software that had a driver leftover, running rouge. I can say something around 100% sure. for more testing please Run (As Administrator) AutoRuns https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns with Then see what reside in the both sections Services and Drivers, easy to check the Provider/Publisher.

Well this means, it is definitely a broken driver, and again such driver is there to perform a job, it could be attached to another service like (just as example) System Restore or it might have its own configuration/policy like security and its access. So what i suggest is to go back to my first post in this thread, and run SFC, yes as dumb as it sound, also check if compatibility service is running and the application doesn't have any, also check the target file path (location and upper directory(s)) have security, see i know it work sometimes but, is there something had changed it dynamically ? like at this moment causing such resource to be wrongly handled, Handles are stored in kernel in tables and cloned there, but it could depend on filters on the way (in and out), and that what you want to pin point if a buggy driver (yes it is a driver or filter driver) caused this and depleted its own resources.

Expanding a little on drivers and services, internally all drivers are called services and they configured and launched from one location in the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Except the OS kernel itself which loaded and hardcoded to load at very first step of boot, all are defined there. So when an error says service it could be a driver.

It doesn't matter, and yes it will help if no object with that name exist then the problem is in the middle between use mode and user-mode driver.

Sorry i forgot to mention to search and find your MyMutex1

Not mentioned is enough for this one, it does confirm it is coming form a driver, low level one.

No not healthy at all. But this one could be the running out resource ! Yes handles has limit and still the same as i mentioned above, the handle is wrongly handled, Please, download WinObjEx64 https://github.com/hfiref0x/WinObjEx64/releases Then share screenshots of the three tabs like this

TO be honest it is not exactly a service but stapled to one, see this cryptic error most likely caused and reported from User-Mode Driver, as kernel mode driver are more detailed error, yet in both cases these drivers belong and part of to an OS service as mentioned above, i think it is between System Restore, Defender or some network mapped drive.