Block Multiple Incoming IP connections using Windows Firewall

I'm using a Windows 2008 server and wanted to know if there was a way to block multiple incoming IP connections to the server using Windows Firewall?

eg If there is 4 connections from the SAME IP. It would prevent it from allowing additional connections OR it would block that IP completely.

This is to prevent certain security issues I’ve been getting - mainly due to UDP flooding.
ultramooAsked:
Who is Participating?
 
xylogCommented:
I wrote this batch file before I realized you said UDP. UDP is not connection based so there is no way to check the number of connections. You could do this for tcp with a batch file that used netstat to count connections. For UDP you would have to monitor number of packets per second per IP or something similar. There are perfmon counters for these. I will try to do one for  UDP using the counters.

Please note this batch file uses sort and uniq which are utilities you can find here -> http://sourceforge.net/projects/unxutils/


@echo off 
if exist %temp%\~tempfile.txt del %temp%\~tempfile.txt
if exist %temp%\~tempfile2.txt del %temp%\~tempfile2.txt
if exist %temp%\~tempfile3.txt del %temp%\~tempfile3.txt
for /f "tokens=3" %%i in ('netstat -an ^|findstr /i established^|findstr /v 127.0.0.1') do echo %%i >> %temp%\~tempfile.txt
for /f "delims=:" %%i in (%temp%\~tempfile.txt) do echo %%i>>%temp%\~tempfile2.txt
sort %temp%\~tempfile2.txt|uniq -c > %temp%\~tempfile3.txt
for /f "tokens=1-2" %%i in (%temp%\~tempfile3.txt) do if %%i neq 1 echo Block %%j with %%i connections && netsh advfirewall firewall add rule name="Block %%j" dir=in protocol=any action=block remoteip=%%j

Open in new window

0
 
fluk3dCommented:
If you block that IP it will block all connections you do not need to specify the service your blocking unless you set it up that way.
0
 
ultramooAuthor Commented:
problem is everyday I have about 5 to 6 differnet IPs that attempt to attack. It makes it difficult to manually add IP blocks all the time. So i need somthing automated that will block for me when the attack occures
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
fluk3dCommented:
Is this server public facing? Would it be worthwhile to implement a hardware firewall that has IPS/IDS? This would take all the stress of the machine
0
 
ultramooAuthor Commented:
I run public game serves and our popularity is rapidly increasing. Some of the game servers are not well implemented and have many issues. I've read an artical explain how to fix some of the issues and which of them is to block multuple IP connections. They gave instructions for linux but not windows. So there is no way for windows to do this?
0
 
fluk3dCommented:
You can block the entire subnet if they are "like" however, the windows firewall is not huerestic based it is primarily designed for blocking connections that are not specified on the ACL.

The articles you were reading were probably related to ipchains/iptables which have that ability with custom programming.

If you are looking for something more automated based on anomalies/type of traffic/ddos/dos prevention the only suggestion I would have is a software based firewall designed for deep packet inspection.
0
 
xylogCommented:
WARNING!!!! The script above is set to ban any ip with more than one connection!!!! I did this for testing and forgot to change it to 100 or some large value. This can be potentially disastrous especially if you are connecting to a remote server using RDP. You could very easily ban your own ip!!!!!
0
 
Fred MarshallPrincipalCommented:
To avoid confusion, instead of:
"a way to block multiple incoming IP connections"
(which would restrict all but one connection over all)
perhaps
"a way to block multiple incoming connections from the same IP"

A lot depends on what you want.
You can certainly block individual IP addresses or subnets  or contiguous ranges of IP addresses.
In some firewalls, you can make a list of them and group list entires into a single rule.

A good firewwall will deal with such attacks.  Something like Juniper Networks SSG-5 or 20 or ....
0
 
ultramooAuthor Commented:
Thanks for this script. I can now use this idea  and implement a simple program in C to check for multiple IP connections and block them - didn't think of this before.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.