IIS 8.0 Dynamic IP Address & Domains Restrictions
Yesterday, I attended session on IIS 8.0 on TechEd India 2012 Live. It was very interesting and informative. There are lots of enhancement in IIS 8.0 from IIS 7.0 right from application initialization to configuration, access restrictions, expanding CPU throttling, Non Uniform Memory Access (NUMA) hardware support, server name indication(SNI) and centralize SSL support for scalability and manageability and many other. Here I am going to post on Dynamic IP & Domains Restrictions feature which is introduced in IIS 8.0
Before IIS 8.0, server administrators could allow or deny access for specific IP address or range of IP addresses. But still finding IP address which cause mass attack was tedious task for server administrator as it involve analyzing IIS log periodically and manually add it to deny list if it found new IP address...
A solution to above problem is that instead of blocking IP based on addresses, we should block IP based on its activity. For e.g. maximum no of concurrent request, total no of request over a period of time, etc. Yes this is where IIS 8.0 and Dynamic IP Addresses & Domains Restrictions come in picture. Dynamic IP Addresses & Domains Restrictions feature of IIS 8.0 enable administrators to block IP based on its activity.
Blocking access based on no of requests in IIS 8.0
Open IIS manager and navigate to website for which you want to configure and click on IP Address and Domain Restrictions feature.
Now click on Edit Dynamic Restriction Settings... link in action pane on right side bar.
Clicking on it will open dialog box which allows you to configure dynamic IP blocking. There are two options available to block IP based on his activity.
1) Maximum no of concurrent requests
This setting ensures that if concurrent requests of any IP address exceed than configured limit then IIS will not serve that request and it will deny.
2) Maximum no of requests over a period of time
This setting ensures that if any IP address sends more requests than allowed limit within specified time then IIS will not serve that request and it will deny. For e.g. as shown in above image if any IP will send more than 20 requests within 200 milliseconds then IIS will deny to serve request.
Response behavior while denying requests
To configure response behavior while denying any requests in IIS 8, click on Edit Feature Settings... link in action pane on right side bar.
In below image we can see available deny action type while denying any requests. These are Unauthorized, Forbidden, Not Found, and Abort. Based on this settings IIS will send response with respective HTTP status code.
Dynamic IP restrictions and Proxy
Many clients are accessing websites through one or more proxy server; in this case it may happen IIS could get same IP in all requests even though it is requested by different client. To address this situation, we can configure IIS 8 to check x-forwarded-for HTTP header. To enable this simply check Enable Proxy Mode checkbox as displayed in following image.
So in nutshell, we can say that Dynamic IP address and domain restrictions feature of IIS 8 adds security improvements to the website by blocking mass requests from one client.