DDOS was the topic of the week with the CAO office in Ireland being repeatedly attacked. Microsoft released a beta of a new IIS module, called Dynamic IP Restrictions Extension for IIS. The idea is that the web server will deny connection requests from detected DDOS and brute force password attackers. I don’t know how automated this is: remember that DDOS attackers tend to be botnets of infected PC’s that will have DHCP addresses on the net. I really like the brute force attack defence. I can tell you that this is a huge problem for web hosting companies; I’ve seen it myself on a pretty large shared web hosting farm. I’d like to see this followed up with similar feature for SQL: those farms present TCP 1433 naked to the net … I can hear the shrieks from enterprise DBA’s now.
This module is a very cool development from the impressive IIS group.
Reduce the chances of a Denial of Service attack by dynamically blocking requests from malicious IP addresses
Dynamic IP Restrictions for IIS allows you to reduce the probabilities of your Web Server being subject to a Denial of Service attack by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP in a temporary deny list and will avoid responding to the requests for a predetermined amount of time.
Minimize the possibilities of Brute-force-cracking of the passwords of your Web Server
Dynamic IP Restrictions for IIS is able to detect requests patterns that indicate the passwords of the Web Server are attempted to be decoded. The module will place the offending IP on a list of servers that are denied access for a predetermined amount of time. In situations where the authentication is done against an Active Directory Services (ADS) the module is able to maintain the availability of the Web Server by avoiding having to issue authentication challenges to ADS.
- Seamless integration into IIS 7.0 Manager.
- Dynamically blocking of requests from IP address based on either of the following criteria:
- The number of concurrent requests.
- The number of requests over a period of time.
- Support for list of IPs that are allowed to bypass Dynamic IP Restriction filtering.
- Blocking of requests can be configurable at the Web Site or Web Server level.
- Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module support return status codes 403, 404 or closing the connection.
- Support for IPv6 addresses.
- Support for web servers behind a proxy or firewall that may modify the client IP address.
Technorati Tags: Internet
This has been released for W2008 and W2008 R2 x64. I didn’t find a 32-bit version (for W2008). You can learn more about this solution in a series of articles discussing the beta.
The Windows update MS10-24 for SMTP will wipe the SMTP configuration on Windows Server 2008. I discovered this today when we found SMTP was no longer relaying email (or accepting local connections) on a couple of servers. One server and I was scratching my head. The second one and I knew there was only one common denominator.
It took me a couple of different search attempts to find the culprit. Even then, I went to the official page for this update and I had to click through 3 pages to find a warning that there might be an issue (I linked the eventual page above).
The developer of this automatic update expects you to magically script a solution to run before the update and after it. This will backup your SMTP configuration and restore it. That’s even assuming that your crystal ball has warned you of a problem. The next time I hear a MS security evangelist talk about instant approval and deployment of updates … …
I know the issue with this update is an exception. But I am not impressed. Believe me – I am holding back on how unimpressed I am.
*counting down from 10, 9, 8 …*
ARR 2.0 was announced as being released and available to download earlier this week. It leverages IIS 7.0 and IIS 7.5 to give you a load balancing and content caching solution. It’s an interesting solution, especially if you start reconsidering how you architect your web farms. Here’s a listing of the features:
- HTTP based routing decisions built using rules that examine HTTP request information
- Sophisticated load balancing algorithms to determine appropriate servers to service the HTTP requests
- Health monitoring for live traffic and specific URLs to determine the health of servers with a set of configuration parameters provided to calibrate baseline server health
- Client affinity to direct all requests from a client to a specific server by using cookies.
- Host name affinity to streamline administration for Web servers and to create additional business opportunities.
- Management of multiple server farms to enable pilot management and A/B testing scenarios.
- Management and monitoring of all configuration settings and aggregated runtime statistics through IIS Manager interface.
- Support for Failed Request Tracing Rules
- Disk-based caching
- Cache hierarchy management
- Cache proxy node in CDN/ECN environment
- Caching compressed objects
- Browsing cached contents using IIS Manager
- Removing cached contents by matching URL patterns
- Overriding cache-control directives
- Warming up cache mode
- Intelligent byte-range support
- Intelligent live request support
- Caching while serving responses
There’s a great blog post by Mai-lan which details the reasons for IT Pro’s and Developers to start using IIS7.5 as included in Windows Server 2008 R2. Well done! It’s the best post I’ve seen on the subject.
I’ve got to say that the IIS teams might be the best bloggers/web contributors in MS corporate. Admittedly, they should be 🙂
I keep getting more and more impressed with the work that is being done by the IIS teams in Microsoft. The Web Platform Installer is belied by it’s tiny size. Sure, it makes setting up a new IIS server quicker and easier. But the big impact from it for me is how Microsoft has successfully worked with a number of partners to make the entire installation process easier … not just Server and IIS but the plug-ins from others who might be seen as competitors such as PHP.
And it keeps getting better.
There is a Web Deployment Tool to help with the installation and migration of new sites. “The Web Deployment Tool simplifies the migration, management and deployment of IIS Web servers, Web applications and Web sites. Administrators can use command-line scripting with the Web Deployment Tool to synchronize IIS 6.0 and IIS 7.0 servers or to migrate an IIS 6.0 server to IIS 7.0. The Web Deployment Tool also enables administrators and delegated users to use IIS Manager to deploy ASP.NET and PHP applications to an IIS 7.0 server.” This features integration between Visual Studio 2010 and IIS 7.0. Web admins can synchronise sites with it. And web deployments can be converted into packages for easier deployment – this even allows you to add packages to the Microsoft Web Application Gallery.
IIS Advanced Logging appeared on the download site last night for X64 and X86. “Advanced Logging provides rich, flexible data collection and real-time logging capabilities. Log any of the HTTP request/response headers, IIS server variables and client-side fields to track end-user engagement. Generate logs per IIS application, create custom logging for modules, or implement hierarchical logging. Set up a central log farm to collect client-side metrics and create multiple purpose-specific logs per request, with each log containing purpose-specific data”.
IIS Media Services 3.0 also made an appearance for X64 and X86. “IIS Media Services 3.0 is a set of media-related extensions for Internet Information Services (IIS) 7. IIS Media Services provides an integrated HTTP-based media delivery platform, and includes:
- Smooth Streaming, adaptive streaming of media over HTTP
- Live Smooth Streaming, for live adaptive streaming of broadcast events
- Bit Rate Throttling, meters the speed that media is delivered to a player
- Web Playlists, secure sequencing of media content You can also download two additional IIS extensions related to IIS Media Services 3.0.
- Advanced Logging, with real-time client- and server-side logging
- Application Request Routing (ARR), providing HTTP proxying and caching”
There is also a smooth streaming deployment guide. “Smooth Streaming is the Microsoft implementation of adaptive streaming technology, which is a form of Web-based media content delivery that uses standard HTTP. Instead of delivering media as full-file downloads, or as persistent (and thus stateful) streams, the content is delivered to clients as a series of MPEG-4 (MP4) fragments that can be cached at edge servers. Smooth Streaming-compatible clients use special heuristics to dynamically monitor current network and local PC conditions and seamlessly switch the video quality of the Smooth Streaming presentation that they receive. As a result, users experience the highest-quality playback available, with no interruptions in the stream. As a content producer, you can encode on-demand Smooth Streaming video using Microsoft Expression Encoder 3 (encoding of live Smooth Streams is currently not supported). As a content provider, you can use IIS Media Services to serve the encoded Smooth Streams. And as a content consumer, you can play the Smooth Streams using a Smooth Streaming-compatible client, such as Microsoft Silverlight. This document discusses the Microsoft implementation for delivering a full Smooth Streaming experience.”
Keep up up folks! Combined with WebsiteSpark, this should tilt the Linux V Windows ratio a few ticks in MS’s favour.
Microsoft announced the RTM of the Web Platform Installer (Web PI) and the Web Gallery. The Web PI is a simple little tool that saves a lot of time. Install it on a server that will be a web server. Then browse through it to pick and choose the bits you want to download and install, e.g. PHP, FTP 7.5, WordPress … yeap, those were non-MS products listed in a MS solution. The Web PI downloads the installers and installs the programs. I’ve deployed the RC with customers with great success. They liked it a lot because it made customisation easy for them. Heck, it simplifies my job too.
We’re changing the IP address range on the firewalls so we’re adding in the new NAT rules in addition to the old ones for a smooth transition.
We started with a web server. The site uses DotNetNuke. We tested the new IP and the server wouldn’t load the page on clients. Luckily we’d kept the old IP and could confirm the site was OK on that. I ran Network Monitor 3.3 on the server (NetMon part of my standard server installation package) and on my client to check things out. Our network engineer started looking at router and firewall traces. I could see traffic coming into TCP 80 but the conversation was short. On the client end I could see the same. I compared with a working conversation on the old IP address and saw that there was a different HTTP status code at the start. The failing server was giving me a 302. In fact, my client was loading localhost instead of the site on the new IP address; that was the 302 code redirect.
I swapped in a default IIS7 site and tested. It worked perfectly. The site bindings were the default norms on the hosted site so it wasn’t that.
I decided to google (I cannot bring my self to say I binged or bonged something, Microsoft) for DotNetNuke redirecting to localhost. Badda-bing! It appears DotNetNuke has it’s own site binding configuration in a SQL table called PortAlias. I added in a row and added in the new IP address to test. That worked perfectly.
I now need to have a long shower after doing developer work 😉
Microsoft has released a beta (pre production and for test only) kit for bumpping up the position of the sites on your IIS servers in search results, i.e. Search Engine Optimisation or SEO. This tool kit includes “the Site Analysis module, the Robots Exclusion module, and the Sitemaps and Site Indexes module, which let you perform detailed analysis and offer recommendations and editing tools for managing your Robots and Sitemaps files.
Site Analysis Features
- Fully featured crawl engine named ‘iisbot’
- Configurable number of concurrent requests to allow users to crawl their Web site without incurring additional processing. This can be configured from 1 to 16 concurrent requests.
- Support for Robots.txt, allowing you to customize the locations where the iisbot should analyze and which locations should be ignored.
- Support for Sitemap files allowing you to specify additional locations to be analyzed.
- Support for overriding ‘noindex’ and ‘nofollow’ metatags to allow you to analyze pages to help improve customer experience even when search engines will not process them.
- Configurable limits for analysis, maximum number of URLs to download, and maximum number of kilobytes to download per URL.
- Configurable options for including content from only your directories or the entire site and sub domains.
- View detailed summary of Web site analysis results through a rich dashboard
- Feature rich Query Builder interface exposing large amounts of data
- Quick access to common tasks
- Display of detailed information for each URL
- View detailed route analysis showing unique routes to better understand the way search engines reach your content
Robots Exclusion Features
- Display of robots content in a friendly user interface
- Support for filtering, grouping, and sorting
- Ability to add ‘disallow’ and ‘allow’ paths using a physical view of your Web site
- Ability to add ‘disallow’ and ‘allow’ paths using a logical view of your Web site from the result of site analysis processing
- Ability to add sitemap locations
Sitemap and Sitemap Index Features
- Display of sitemaps and sitemap index files in a simple user interface
- Support for grouping and sorting
- Ability to add/edit/remove sitemap and sitemap index files
- Ability to add new URL’s to sitemap and sitemap index files using a physical view of your Web site
- Ability to add new URL’s to sitemap and sitemap index files using a logical view of your Web site from the result of site analysis processing
- Ability to register a sitemap or sitemap index into the robots exclusion file”
There is a concern that something like this would cause an undue load on the IIS server/sites. Microsoft responds to this with instructions for using a configurable setting. This allows you to set the maximum number of concurrent requests created by the SEO Toolkit.