Preventing Automated Attacks with IIS Dynamic IP Restrictions

Another one of the great built-in features of IIS 8 is Dynamic IP Restrictions (DIPR). With a few simple configuration steps you can quickly set limits for blocking IP addresses based on the number of concurrent requests or frequency of requests over a period time. With these parameters in place IIS will take over blocking requests unattended thereby making your server more secure.\r\n\r\nBefore DIPR was available on IIS 7 you could manually block 1 IP or a range of IPs easily in the IP Address and Domain Restrictions module. However this could be a time consuming task if your server was under attack. Using a tool like Log Parser to examine the site’s logs you could identify IPs with suspicious activity but then you still had manually enter Deny Rules. Determined hackers will use a variety of IPs from proxy servers so by the time you’ve blocked a handful a new range could be starting up. DIPR was released out-of-band for IIS 7 and IIS 7.5 so you can leverage this great security tool on those web servers as well. In this walk through I cover how to configure Dynamic IP Restrictions and even show a test in action.\r\n

\r\n

Installing Dynamic IP Restrictions

\r\nOpen the Server Manager and to Web Server role. Under Security ensure that IP and Domain Restrictions is installed.\r\n\r\nimage\r\n\r\n \r\n

IP Address and Domain Restrictions in IIS Manager

\r\nOpen IIS Manager and click on IP Address and Domain Restrictions.\r\n\r\nCapture2\r\n\r\n \r\n\r\nFrom this window you can either Add Allow Entry rules or Add Deny Entry rules. These rules would be for manually blocking (or allowing) one IP address or an IP address range. You have to be care when blocking an IP range because you could inadvertently block legitimate traffic. Click on Edit Dynamic Restriction Settings to set the dynamic thresholds for blocking IP addresses.\r\n\r\nimage\r\n\r\n \r\n\r\nClick Edit Feature Settings to set the Deny Action Type. In this example I’ve set Forbidden so blocked requests will receive an http 403 status error. These errors will also be recorded in the site’s log for us to review later.\r\n\r\nimage\r\n\r\n \r\n\r\nOn the Dynamic IP Restriction Settings screen you can choose the maximum number of concurrent requests to block. And you can also Deny IP addresses based on frequency of requests over a period of time.\r\n\r\nCapture4\r\n\r\n \r\n\r\nAs always depending on the volume of your web site’s traffic you should test these settings to ensure that legitimate traffic does not get blocked.\r\n\r\n \r\n

\r\n

Testing Dynamic IP Address Blocking

\r\nI didn’t have a real security incident available for testing the DIPR module so I did the next best thing. Using Fiddler the free debugging tool from Telerik and StressStimulus a free load testing plugin from StimulusTechnology I hammered my test virtual server for a few minutes and got the desired results. With Fiddler open you will see the StressStimulus module. From here you can record your test case or open an existing test case as well as edit the test case paramters.\r\n\r\nCapture12\r\n\r\n \r\n

\r\n

\r\n

Test Results

\r\nStressStimulus gives you multiple detailed charts to review to gauge the performance of your site and identify potential areas of weakness. For my test I choose to hit the wp-login.php page on my test WordPress site with 3 concurrent requests and 100 iterations. The test completed within a few minutes.\r\n

Capture8

\r\n \r\n\r\nVisiting the test page from the server running StressStimulus I get the expected result. It’s blocked by a 403 error.  The full description of this code is 403.502 – Forbidden: Too many requests from the same client IP; Dynamic IP. \r\n

Capture

\r\n \r\n\r\nUsing the Log Parser query below to analyze the site log I see that 331 requests were blocked with a 403.502 status code.\r\n

SELECT TOP 100\r\nSTRCAT(EXTRACT_PATH(cs-uri-stem),'/') AS RequestPath, sc-status,sc-substatus,\r\nEXTRACT_FILENAME(cs-uri-stem) AS RequestedFile,\r\nCOUNT(*) AS TotalHits, c-ip\r\nFROM w3svc.og TO top-403-ip-requests\r\nGROUP BY cs-uri-stem, sc-status,sc-substatus,c-ip\r\nORDER BY TotalHits DESC

\r\n

image\r\n\r\n \r\n\r\nFurther examination of the log with Log Parser shows the full break down of the requests blocked with 403 status.\r\n\r\nSELECT TOP 100\r\nSTRCAT(EXTRACT_PATH(cs-uri-stem),’/’) AS RequestPath, sc-status,sc-substatus,\r\nEXTRACT_FILENAME(cs-uri-stem) AS RequestedFile,\r\nCOUNT(*) AS TotalHits, c-ip\r\nFROM w3svc.og TO top-403-ip-requests\r\nwhere sc-status=403\r\nGROUP BY cs-uri-stem, sc-status,sc-substatus,c-ip\r\nORDER BY TotalHits DESC\r\n


\r\n

image\r\n\r\n \r\n

Summary

\r\nThe Dynamic IP Restrictions module is available with IIS 8 as well as IIS 7 and IIS 7.5. It is a powerful tool to block automated attacks on your site and requires minimal configuration and maintenance. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website