Using Dynamic IP Restrictions

Introduction

The Dynamic IP Restrictions for IIS 7.0 is a module that provides protection against denial of service and brute force attacks on web server and web sites. Such protection is provided by temporarily blocking IP addresses of the HTTP clients who make unusually high number of concurrent requests or who make large number of requests over small period of time.

Features

The Dynamic IP Restrictions includes these key features:

• Blocking of IP addresses based on number of concurrent requests - If HTTP client makes many concurrent requests then that client's IP address gets temporarily blocked.
• Blocking of IP address based on number of requests over a period of time - If HTTP client makes many requests over short period of time then that client's IP address gets temporarily blocked.
• Various deny actions - it is possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and do not return any response.
• Logging of denied requests - all denied requests can be logged into a W3C formatted log file.
• Displaying currently blocked IP addresses - a list of currently blocked IP addresses can be obtained by using IIS Manager or by using IIS RSCA API's.
• IPv6 - the module fully supports IPv6 addresses.

In additions to these features, the Dynamic IP Restrictions for IIS 7.0 provides the same functionality that exists in IIS 7.0 built-in IPv4 and Domain Restrictions. Because of that the Dynamic IP Restrictions is provided as a replacement for IPv4 and Domain Restrictions.

Installation Instructions

Getting Dynamic IP Restrictions

• Dynamic IP Restrictions for IIS 7.0 x86 - Beta
• Dynamic IP Restrictions for IIS 7.0 x64 - Beta

Prerequisites

Windows Server 2008, Windows Vista SP1, Windows Server 2008 R2 or Windows 7

Installation on a machine with IPv4 and Domain Restrictions

If IIS already has IPv4 Address and IP restrictions module enabled then Dynamic IP Restrictions installer will need to un-install the existing module in order to continue the setup process. Note that the existing IPv4 configuration will be preserved while old module is removed and new module is installed.

Configuring Dynamic IP Restrictions

The Dynamic IP Restrictions can be configured by using either IIS Manager, IIS configuration APIs or by using command line tool appcmd.

To access Dynamic IP Restriction settings in IIS Manager follow these steps:

1. Open IIS Manager
2. In the left-hand side tree view select server node if you want to configure server-wide settings, or select a site node to configure site-specific settings.
3. In the Features View click "Dynamic IP Address and Domain Restrictions"
   
4. In the "Dynamic IP Address and Domain Restrictions" main page you can specify the IP addresses that needs to be either always allowed or always denied. Adding an Allow entry for an IP address ensures that the address will never be blocked even if its request pattern fits the request deny criteria specified in Dynamic Restrictions settings. Adding a Deny entry for an IP address ensures that the address will always be blocked regardless of Dynamic Restrictions settings.
   The actual Dynamic Restrictions settings can be accessed by clicking "Edit Dynamic Restrictions" in the Actions pane on right hand side:
   
5. Use the Dynamic IP Restrictions page to configure the settings for dynamically blocking IP addresses:
   

Blocking of IP address based on number of concurrent requests

When using this option, the server will allow any client's IP address to make only a configurable number of concurrent requests. Any additional requests that exceed the specified limit will be denied.

A simple way to test this feature is to set the maximum number of concurrent requests to 2 by either using UI or by executing appcmd command:

%WINDIR%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/ipSecurity /dynamicRestrictions.denyByConcurrentRequests.enabled:"True" /dynamicRestrictions.denyByConcurrentRequests.maxConcurrentRequests:"2" /commit:apphost

In the root folder of your web site create a file test.aspx and paste the following content into it:

<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
  System.Threading.Thread.Sleep(3000);
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
  <head runat="server">
    <title>Dynamic IP Restrictions Test</title>
  </head>
  <body>
    <form id="form1" runat="server">
      <div>
        <h1>Hello World!</h1>
      </div>
    </form>
  </body>
</html>

This ASP.NET page for 3 seconds before returning any response. Save the file and then open web browser, request http://localhost/test.aspx and then continuously hit F5 to refresh the browser. This will result in browser making more than 2 concurrent requests so as a result you will see the 403 - Forbidden error from server:

 

Important: When configuring number of concurrent requests for a real web application, thoroughly test the limit that you pick to ensure that valid HTTP clients do not get blocked. This is especially important for Rich Internet Applications that have AJAX enabled web pages and serve media content.

Blocking of IP addresses based on number of requests over time

When using this option the server will deny requests from any HTTP client's IP address that makes more than configurable number of requests over a period of time. The IP address will remain blocked until the number of requests within a time period drops below the configured limit.

To test this feature set the "Maximum number of requests" to 5 and "Time period" to 5 by using either IIS Manager or by executing appcmd command:

%WINDIR%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/ipSecurity /dynamicRestrictions.denyByRequestsOverTime.enabled:"True" /dynamicRestrictions.denyByRequestsOverTime.maxRequests:"5" /dynamicRestrictions.denyByRequestsOverTime.timeout:"00:00:05" /commit:apphost

Open web browser, request http://localhost/welcome.png and then hit F5 to continuously refresh the page. This will generate more than 5 requests over 5 seconds so as a result you will see server responding with 403 - Forbidden status code:

If you wait for 10 seconds and then make a request then the request will succeed as the IP Address will be removed from the deny list.

Important: When configuring number of allowed requests over time for a real web application, thoroughly test the limits that you pick to ensure that valid HTTP clients do not get blocked. This is especially important for Rich Internet Applications that have AJAX enabled web pages and serve media content.

Deny Actions

The module can be configured to perform the following actions when denying requests for IP addresses:

• Send 403 (Forbidden) response to the client;
• Send 404 (File not found) response to the client;
• Abort request by closing the HTTP connection, without sending any response to the client.

Displaying currently blocked IP addresses

To display currently blocked IP addresses in IIS Manager, open the "Dynamic IP and Domain Restrictions" feature view and click "Show Blocked Addresses..." action:

The IIS manager will display the currently blocked IP addresses with the reasons of why they are blocked. Note that you can permanently allow or deny a particular temporarily blocked IP address by using "Add to allow list" and "Add to deny list" actions:

Related Content

Comments

1. Submitted on Feb 18 2009 by
   pabloweyne Excellent. And the brute force ftp?
2. Submitted on Feb 20 2009 by
   jyjohnson Can this (or something else?) be used to block SQL Server login attempts? I see many failed login attempts on my SQL server & would like to block those IPs...
3. Submitted on Feb 22 2009 by
   waleefi This looks really great, I wonder though how it could affect performance in a high traffic website. Can you please give some more details on this?
   
   Thanks
4. Submitted on Feb 26 2009 by
   jennylaw @jyjohnson - This module does not inspect the nature of the requests, just the number of requests from a particular client, but if you are being attacked by brute force, then you can set up the limits such that the attack gets blocked. Thanks!
   
   @waleefi - We haven't run a lot of perf tests right now, this being in beta stage now, hence we dont have concrete numbers for perf. It would be great if you could deploy on your environment and give us any feedback, perf or functionality related!
   Thanks! Jenny
   
5. Submitted on Mar 05 2009 by
   evillizard I love this I was usiong it to protect a couple pages on my server but I had to remove it. We use Plesk and it was making plesk crash
6. Submitted on Mar 09 2009 by
   jennylaw @evillizard,
   Can you give us details of the crash? If its something we can fix in the code, will sure take it.
7. Submitted on Mar 10 2009 by
   evillizard
   This is what I could find in the logs that is related to the issue. I hope this isn't too much.
   
   Log Name: Application
   Source: Microsoft-Windows-IIS-W3SVC-WP
   Date: 3/5/2009 2:38:03 PM
   Event ID: 2280
   Task Category: None
   Level: Error
   Keywords: Classic
   User: N/A
   Computer: winweb01
   Description:
   The Module DLL C:\Program Files\IIS\Dynamic IP Restrictions\dynamiciprestrictions.dll failed to load. The data is the error.
   Event Xml:
   Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   System>
   Provider Name="Microsoft-Windows-IIS-W3SVC-WP" Guid="{670080D9-742A-4187-8D16-41143D1290BD}" EventSourceName="W3SVC-WP" />
   EventID Qualifiers="49152">2280/EventID>
   Version>0/Version>
   Level>2/Level>
   Task>0/Task>
   Opcode>0/Opcode>
   Keywords>0x80000000000000/Keywords>
   TimeCreated SystemTime="2009-03-05T19:38:03.000Z" />
   EventRecordID>1102/EventRecordID>
   Correlation />
   Execution ProcessID="0" ThreadID="0" />
   Channel>Application/Channel>
   Computer>winweb01/Computer>
   Security />
   /System>
   EventData>
   Data Name="ModuleDll">C:\Program Files\IIS\Dynamic IP Restrictions\dynamiciprestrictions.dll/Data>
   Binary>05000000/Binary>
   /EventData>
   /Event>
   
   Log Name: System
   Source: Microsoft-Windows-WAS
   Date: 3/5/2009 2:38:04 PM
   Event ID: 5139
   Task Category: None
   Level: Warning
   Keywords: Classic
   User: N/A
   Computer: winweb01
   Description:
   A listener channel for protocol 'http' in worker process '724' serving application pool 'PleskControlPanel' reported a listener channel failure. The data field contains the error number.
   Event Xml:
   Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   System>
   Provider Name="Microsoft-Windows-WAS" Guid="{524B5D04-133C-4A62-8362-64E8EDB9CE40}" EventSourceName="WAS" />
   EventID Qualifiers="32768">5139/EventID>
   Version>0/Version>
   Level>3/Level>
   Task>0/Task>
   Opcode>0/Opcode>
   Keywords>0x80000000000000/Keywords>
   TimeCreated SystemTime="2009-03-05T19:38:04.000Z" />
   EventRecordID>11764/EventRecordID>
   Correlation />
   Execution ProcessID="0" ThreadID="0" />
   Channel>System/Channel>
   Computer>winweb01/Computer>
   Security />
   /System>
   EventData>
   Data Name="AppPoolID">PleskControlPanel/Data>
   Data Name="ProcessID">724/Data>
   Data Name="param3">0/Data>
   Data Name="ProtocolID">http/Data>
   Binary>05000780/Binary>
   /EventData>
   /Event>
   
   
   Log Name: System
   Source: Microsoft-Windows-WAS
   Date: 3/5/2009 2:38:05 PM
   Event ID: 5139
   Task Category: None
   Level: Warning
   Keywords: Classic
   User: N/A
   Computer: winweb01
   Description:
   A listener channel for protocol 'http' in worker process '4344' serving application pool 'PleskControlPanel' reported a listener channel failure. The data field contains the error number.
   Event Xml:
   Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
   System>
   Provider Name="Microsoft-Windows-WAS" Guid="{524B5D04-133C-4A62-8362-64E8EDB9CE40}" EventSourceName="WAS" />
   EventID
8. Submitted on Mar 10 2009 by
   jennylaw @evillizard :
   Can you check whether the schema file dynamiciprestr_schema.xml is present in the inetsrv\config\schema directory?
   Also check the values in applicationhost.config ipSecurity section to see whether it adheres to the schema dynamiciprestr_schema.xml
   
9. Submitted on Mar 11 2009 by
   ericlev I am confused about where/how to enter a list of domains that should not be blocked. On the download page it refers to "Support for static list of Domain Names that are permanently denied or allowed access to the Web Site" but the UI to Add Allow Entry... seems to only want IP addresses or ranges.
10. Submitted on Mar 11 2009 by
    ericlev BTW, I did just find the checkbox to Enable domain name restrictions, but the performance warning scared me off...
    
    What I am really wanting to do is to allow ALL ip's in general unless some trip over the concurrency or frequency rules. At that point, once a given IP has been flagged, then and only then do I want it to trigger the expensive RDNS lookup to see if it comes from a blessed domain. Basically I am trying to block all crawlers of my site except for a very few known and blessed examples:
    
    * Google crawlers will end with googlebot.com like in crawl-66-249-70-244.googlebot.com.
    * Yahoo crawlers will end with crawl.yahoo.net like in llf520064.crawl.yahoo.net.
    * Live Search crawlers will end with search.msn.com like in msnbot-65-55-104-161.search.msn.com.
    * Ask crawlers will end with ask.com like in crawler4037.ask.com.
    
    Since crawlers don't hit the site very often and come from a very narrow set of IP's if the RDNS was only triggered when someone did trip then it would be well worth the hit. And presumably it would cache the last RDNS for an IP and not keep looking it up...
    
    Anyway, not sure if this is what is intended, but if you added this you would create a remarkably cool solution.
    
    In the short term I am going to take the hit with the top crawlers to have them blocked while I play with this for the next few days. But it is an impossibility to keep up with the IP ranges of Google.
    
    Separately, I couldn't figure out the UI to add an IP range, e.g. 64.13.142.82-64.13.142.86
11. Submitted on Mar 12 2009 by
    jennylaw @evillizard ,
    can you check the ACL's on ProgramFiles/IIS/Dynamic IP Restrictions, you can use icacls for that:
    
    @ericlev - to add a IP range, there is no direct way to give the start and end address, however you can achieve the same result by giving the start address and the correct subnet mask.
    
12. Submitted on Mar 14 2009 by
    jennylaw @ericlev,
    Regarding the RDNS, we do cache the last looked up entry. The cached entry is used if the TTL has not expired, and the record is not stale.
    
13. Submitted on Apr 24 2009 by
    rwbitters Nice Work! This replacement for the standard restrictions tool is great. I'm just using it to restrict access to an allowed list of IPv4 and IPv6 addresses. The only problem that I had with it was that I needed to reset IIS for my changes to take effect.
14. Submitted on Apr 27 2009 by
    maxp @jennylaw
    We've been having problems with this module killing sites and application pools:
    
    From Log - System:
    
    A process serving application pool '**our site name**' suffered a fatal communication error with the Windows Process Activation Service. The process id was '*our process id*'. The data field contains the error number.
    
    And from Log - Application
    
    Faulting application w3wp.exe, version 7.0.6001.18000, time stamp 0x47919ed8, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791adec, exception code 0xc0000374, fault offset 0x00000000000a6e97, process id 0x814, application start time 0x01c9c7278c07ddac.
    
    
15. Submitted on Apr 27 2009 by
    jennylaw Can you generate a dump file, and send it across to jennylaw@microsoft.com
    I will take a look.
    
16. Submitted on Apr 27 2009 by
    jennylaw Please send a crash dump file to jennylaw@microsoft.com.
    I will take a look.
    Thanks,
    Jenny
17. Submitted on May 13 2009 by
    dgallek We installed the Dynamic IP blocking today at 1pm and by 3pm today, it was causing 503 errors.
    
    We are getting the same type log errors as maxp:
    
    application log
    
    Faulting application w3wp.exe, version 7.0.6001.18000, time stamp 0x47919413, faulting module ntdll.dll, version 6.0.6001.18000, time stamp 0x4791a7a6, exception code 0xc0000374, fault offset 0x000b015d, process id 0x16b4, application start time 0x01c9d3fe23be2c29.
    
    event log
    
    A process serving application pool 'professionaldevelopmentmatters.com' suffered a fatal communication error with the Windows Process Activation Service. The process id was '5564'. The data field contains the error number.
    
    
18. Submitted on May 15 2009 by
    jennylaw Hi dgallek,
    We are working on a patch for this issue, will mostly release this early next week.
    Thanks for reporting this issue.
    
    Jenny
19. Submitted on May 26 2009 by
    notandy I would like to be able to redirect the denied IPs to another website. Is there any possibility for this to be implemented in the future? This would be handy for performing maintenance on a site or if an authorized person is accessing the site from an unauthorized location. Thanks
20. Submitted on May 26 2009 by
    jennylaw @notandy: Thanks for your feedback, we will take a look at this, and its feasibilty for the next release.
    
    Jenny
21. Submitted on May 27 2009 by
    sunss Unless I'm doing something wrong there seems to be a big issue with Dynamic IP Restrictions, I'm setting up a virtual web under the root of the website to be only accessible by a range of IP's, so I've added the allow range against the sub website, and set access for unspecified clients to deny. However this applies the 'deny' policy across *all* websites from the root down, even though the config on the higher level sites are still showing allow unspecified clients.
    
    Is this something that can be patched fairly soon!
    
22. Submitted on Jun 01 2009 by
    dgallek Hi Jenny,
    
    Any word on the patch? Is there someplace I should look specifically when the patch is released?
23. Submitted on Jun 03 2009 by
    jennylaw We are in the release process for the patch.. You will see an update on this thread, as well as on iis.net forum.
    Thanks for your patience.
    
    Jenny
24. Submitted on Jun 11 2009 by
    krolson The patch for the long site name issue is now available. There is a patch for existing installs, and the installer has also been updated so that new installs will already contain the patch.
    
    You can get the patch or the updated download through WebPI or directly from IIS.net (http://www.iis.net/extensions/DynamicIPRestrictions).
    
    More information on whether you need the patch, where to get it, and other related install topics are covered in this blog post: http://blogs.iis.net/krolson/archive/2009/06/08/patch-for-dynamic-ip-restrictions-for-iis-7-beta.aspx
25. Submitted on Sep 21 2009 by
    gunstar looks v.useful - have had a quick play, seems to work well.
    
    I'd like to use some preformatted subnet block lists e.g.:
    
    http://www.wizcrafts.net/chinese-iptables-blocklist.html
    
    Am I correct in thinking that once formatted correctly, these could just be added to 'applicationhost.config' in 'C:\Windows\System32\inetsrv\config' ? To save having to type them in manually?
    
    Is there an upper limit on the number of subnets you would recommend?
    
    Cheers
26. Submitted on Oct 17 2009 by
    ppcar Great tool!
    
    I have a question before start using it on production servers: when maximum number of requests over a period is configured, which kind of requests are controlled? main pages (like aspx,html,etc) , or any kind of request (pages but also images,scripts..etc).
    
    Summarizing: 1 page with 30 images and 4 scripts, are 35 requests for this module?
    
    Thanks from spain