Mitigating Denial of Service Attacks in IIS 7
In today’s tech-savvy world, Denial of Service attacks against websites have become more commonplace. While there is no way to prevent a Denial of Service attack, one easy way to minimize the impact of the attack and allow your site to remain online and functional is through the use of the Dynamic IP Restrictions IIS Extension.
The Dynamic IP Restrictions Extension is configurable providing an easy way to effectively block IP addresses temporarily. It is also easy to install.
Open the Web Platform Installer (WPI) and search for Dynamic IP Restrictions. Click on the Add button beside Dynamic IP Restrictions 1.0. You will note that the current version is a Release Candidate version. After clicking on Install and accepting the license terms, the WPI works its magic in the background and completes the install. Now this extension is available to be used at server or site level.
Next let’s open up IIS manager. If you want to set this at the server level highlight the server in the left tree view. If you want to set this at the site level highlight the site in the left tree view. After making your selection you will find a new icon. Double click the icon to bring up the settings.
You will notice that by default that everything is disabled. At the top you have two choices which are not mutually exclusive allowing you the flexibility to set two different deny criteria at the same time. The descriptions beside the check boxes are self explanatory as to what criteria you would deny IP addresses on.
Scrolling down the page we come to Other Settings. Here you have three options. The first option is what happens when a request meets the deny criteria that you selected. You have the option of sending a 401, 403 or 404 status code. You also have the option of aborting the request and having the web server not send a response at all. The option that you choose primarily depends on your preference as well as the potential impact on your application.
The second option is Proxy Mode. If your web server sits behind a proxy server then all the requests often look like they come from a single IP address, that of the proxy server. In those cases you will want to check this box to have the Dynamic IP Restriction module check the HTTP request looking for the client IP in the X-Forwarded-For header. Most proxy servers add this header to the request.
The third option is Logging Only Mode. When you enable Logging Only Mode, the Dynamic IP Restriction takes no action other than writing a standard entry to the site’s W3SVC log file with the status code that you selected for the first option. Unfortunately it does not generate a separate log file.
As far as recommended settings for the Deny Criteria, I prefer to first go with the default numbers that are present when the option is checked and enabling log only mode. I then monitor the W3SVC log file for any legitimate IP addresses that would have been blocked and adjust the numbers accordingly. Since each site’s traffic patterns differ and most Denial of Service attacks differ there is no perfect deny criteria setting that works best for everybody.
One last setting that you should be aware of is the Allowed IP Addresses. In the right actions pane click on Show Allowed Addresses… That brings up the Allowed IP Addresses table. You can add IP addresses here that will bypass the Dynamic IP Restrictions filtering and allow them to access your site regardless of the settings.
You should note that Dynamic IP Restrictions is included as part of IIS8 preventing the need to install a separate IIS Extension.
For more information on the Dynamic IP Restrictions please see www.iis.net.
Rick is a Senior Support Lead at OrcsWeb, a hosted server company providing managed hosting solutions.