The IIS team has released the Dynamic IP Restrictions Extension for IIS 7.0 - Beta. The Dynamic IP Restrictions provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.
Install the Dynamic IP Restrictions Beta Today!
If IIS already has IPv4 Address and IP restrictions module enabled then Dynamic IP Restrictions installer will need to un-install the existing module in order to continue the setup process. Note that the existing IPv4 configuration will be preserved while old module is removed and new module is installed.
The Dynamic IP Restrictions includes these key features:
- Blocking of IP addresses based on number of concurrent requests - If HTTP client makes many concurrent requests then that client's IP address gets temporarily blocked.
- Blocking of IP address based on number of requests over a period of time - If HTTP client makes many requests over short period of time then that client's IP address gets temporarily blocked.
- Various deny actions - it is possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and do not return any response.
- Logging of denied requests – all dynamically denied requests can be logged into a W3C formatted log file.
- Displaying currently blocked IP addresses - a list of currently blocked IP addresses can be obtained by using IIS Manager or by using IIS RSCA API's.
- IPv6 - the module fully supports IPv6 addresses.
In additions to these features, the Dynamic IP Restrictions for IIS 7.0 provides the same functionality that exists in IIS 7.0 built-in IPv4 and Domain Restrictions. Because of that the Dynamic IP Restrictions is provided as a replacement for IPv4 and Domain Restrictions.
Module walkthrough: http://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/
Support forum: http://forums.iis.net/1043.aspx