how to limit the # of connections per IP address in IIS

I'm running windows server 2012 R2. Looks like someone attempted to hack us, as we had over 3800 https requests in a few minutes on our webserver, which crashed our server. The 3800 requests all came from 4 different IP addresses in a few minutes time.

Is there a way in IIS to limit the total number of connections per IP address?
Basically, I want to stop what just occurred this morning from happening in the future.

I came across this, but this limits the total connections for the server, there's no option for limiting connections by IP address.
http://www.iis.net/configreference/system.applicationhost/sites/site/limits

I don't want to limit the total connections for the server because then I can be limiting legit traffic.

During this time, my SQL server was running at 99%, so it stopped everything.

Any thoughts how to solve this issue?



You can enable the IP and Domain Restrictions feature within IIS in Server 2012 R2 to dynamically block IPs that exceed a specified number of requests. See the steps in this article to install and configure this feature on your server: http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions



You can enable the IP and Domain Restrictions feature within IIS in Server 2012 R2 to dynamically block IPs that exceed a specified number of requests. See the steps in this article to install and configure this feature on your server: http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions



Do you know what the requests were trying to access? It sounds like it was an attempt to do something malicious. There's an open source Host Intrusion Prevention System (HIPS) called OSSEC:
http://www.ossec.net/

You can set it to blacklist an IP address that attempts to do something bad. For example, if the same IP address tries to log onto your server as Administrator 10 times in 2 minutes, then that IP can be blocked for good, or for, say, 10 minutes. It will also alert you via e-mail about activity that it detects.



Thanks guys, I came across the IIS IP and domain restrictions plugin a few minutes before you made the post, but thank you.

In regards to the OSSEC, looks like it's not available anymore on windows. I'm running windows servers.
Plus, the website says they don't have a compiler for windows anymore.





Share this

Related Posts

There was an error in this gadget