DDOS was the topic of the week with the CAO office in Ireland being repeatedly attacked. Microsoft released a beta of a new IIS module, called Dynamic IP Restrictions Extension for IIS. The idea is that the web server will deny connection requests from detected DDOS and brute force password attackers. I don’t know how automated this is: remember that DDOS attackers tend to be botnets of infected PC’s that will have DHCP addresses on the net. I really like the brute force attack defence. I can tell you that this is a huge problem for web hosting companies; I’ve seen it myself on a pretty large shared web hosting farm. I’d like to see this followed up with similar feature for SQL: those farms present TCP 1433 naked to the net … I can hear the shrieks from enterprise DBA’s now.
This module is a very cool development from the impressive IIS group.
Reduce the chances of a Denial of Service attack by dynamically blocking requests from malicious IP addresses
Dynamic IP Restrictions for IIS allows you to reduce the probabilities of your Web Server being subject to a Denial of Service attack by inspecting the source IP of the requests and identifying patterns that could signal an attack. When an attack pattern is detected, the module will place the offending IP in a temporary deny list and will avoid responding to the requests for a predetermined amount of time.
Minimize the possibilities of Brute-force-cracking of the passwords of your Web Server
Dynamic IP Restrictions for IIS is able to detect requests patterns that indicate the passwords of the Web Server are attempted to be decoded. The module will place the offending IP on a list of servers that are denied access for a predetermined amount of time. In situations where the authentication is done against an Active Directory Services (ADS) the module is able to maintain the availability of the Web Server by avoiding having to issue authentication challenges to ADS.
- Seamless integration into IIS 7.0 Manager.
- Dynamically blocking of requests from IP address based on either of the following criteria:
- The number of concurrent requests.
- The number of requests over a period of time.
- Support for list of IPs that are allowed to bypass Dynamic IP Restriction filtering.
- Blocking of requests can be configurable at the Web Site or Web Server level.
- Configurable deny actions allows IT Administrators to specify what response would be returned to the client. The module support return status codes 403, 404 or closing the connection.
- Support for IPv6 addresses.
- Support for web servers behind a proxy or firewall that may modify the client IP address.