Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Block Multiple Incoming IP connections using Windows Firewall

Posted on 2010-11-25
9
Medium Priority
?
1,381 Views
Last Modified: 2012-05-10
I'm using a Windows 2008 server and wanted to know if there was a way to block multiple incoming IP connections to the server using Windows Firewall?

eg If there is 4 connections from the SAME IP. It would prevent it from allowing additional connections OR it would block that IP completely.

This is to prevent certain security issues I’ve been getting - mainly due to UDP flooding.
0
Comment
Question by:ultramoo
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212240
If you block that IP it will block all connections you do not need to specify the service your blocking unless you set it up that way.
0
 

Author Comment

by:ultramoo
ID: 34212346
problem is everyday I have about 5 to 6 differnet IPs that attempt to attack. It makes it difficult to manually add IP blocks all the time. So i need somthing automated that will block for me when the attack occures
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212354
Is this server public facing? Would it be worthwhile to implement a hardware firewall that has IPS/IDS? This would take all the stress of the machine
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:ultramoo
ID: 34212371
I run public game serves and our popularity is rapidly increasing. Some of the game servers are not well implemented and have many issues. I've read an artical explain how to fix some of the issues and which of them is to block multuple IP connections. They gave instructions for linux but not windows. So there is no way for windows to do this?
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212394
You can block the entire subnet if they are "like" however, the windows firewall is not huerestic based it is primarily designed for blocking connections that are not specified on the ACL.

The articles you were reading were probably related to ipchains/iptables which have that ability with custom programming.

If you are looking for something more automated based on anomalies/type of traffic/ddos/dos prevention the only suggestion I would have is a software based firewall designed for deep packet inspection.
0
 
LVL 5

Accepted Solution

by:
xylog earned 2000 total points
ID: 34212646
I wrote this batch file before I realized you said UDP. UDP is not connection based so there is no way to check the number of connections. You could do this for tcp with a batch file that used netstat to count connections. For UDP you would have to monitor number of packets per second per IP or something similar. There are perfmon counters for these. I will try to do one for  UDP using the counters.

Please note this batch file uses sort and uniq which are utilities you can find here -> http://sourceforge.net/projects/unxutils/


@echo off 
if exist %temp%\~tempfile.txt del %temp%\~tempfile.txt
if exist %temp%\~tempfile2.txt del %temp%\~tempfile2.txt
if exist %temp%\~tempfile3.txt del %temp%\~tempfile3.txt
for /f "tokens=3" %%i in ('netstat -an ^|findstr /i established^|findstr /v 127.0.0.1') do echo %%i >> %temp%\~tempfile.txt
for /f "delims=:" %%i in (%temp%\~tempfile.txt) do echo %%i>>%temp%\~tempfile2.txt
sort %temp%\~tempfile2.txt|uniq -c > %temp%\~tempfile3.txt
for /f "tokens=1-2" %%i in (%temp%\~tempfile3.txt) do if %%i neq 1 echo Block %%j with %%i connections && netsh advfirewall firewall add rule name="Block %%j" dir=in protocol=any action=block remoteip=%%j

Open in new window

0
 
LVL 5

Expert Comment

by:xylog
ID: 34212664
WARNING!!!! The script above is set to ban any ip with more than one connection!!!! I did this for testing and forgot to change it to 100 or some large value. This can be potentially disastrous especially if you are connecting to a remote server using RDP. You could very easily ban your own ip!!!!!
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 34213328
To avoid confusion, instead of:
"a way to block multiple incoming IP connections"
(which would restrict all but one connection over all)
perhaps
"a way to block multiple incoming connections from the same IP"

A lot depends on what you want.
You can certainly block individual IP addresses or subnets  or contiguous ranges of IP addresses.
In some firewalls, you can make a list of them and group list entires into a single rule.

A good firewwall will deal with such attacks.  Something like Juniper Networks SSG-5 or 20 or ....
0
 

Author Closing Comment

by:ultramoo
ID: 34214000
Thanks for this script. I can now use this idea  and implement a simple program in C to check for multiple IP connections and block them - didn't think of this before.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question