Solved

Block Multiple Incoming IP connections using Windows Firewall

Posted on 2010-11-25
9
1,354 Views
Last Modified: 2012-05-10
I'm using a Windows 2008 server and wanted to know if there was a way to block multiple incoming IP connections to the server using Windows Firewall?

eg If there is 4 connections from the SAME IP. It would prevent it from allowing additional connections OR it would block that IP completely.

This is to prevent certain security issues I’ve been getting - mainly due to UDP flooding.
0
Comment
Question by:ultramoo
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212240
If you block that IP it will block all connections you do not need to specify the service your blocking unless you set it up that way.
0
 

Author Comment

by:ultramoo
ID: 34212346
problem is everyday I have about 5 to 6 differnet IPs that attempt to attack. It makes it difficult to manually add IP blocks all the time. So i need somthing automated that will block for me when the attack occures
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212354
Is this server public facing? Would it be worthwhile to implement a hardware firewall that has IPS/IDS? This would take all the stress of the machine
0
 

Author Comment

by:ultramoo
ID: 34212371
I run public game serves and our popularity is rapidly increasing. Some of the game servers are not well implemented and have many issues. I've read an artical explain how to fix some of the issues and which of them is to block multuple IP connections. They gave instructions for linux but not windows. So there is no way for windows to do this?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Expert Comment

by:fluk3d
ID: 34212394
You can block the entire subnet if they are "like" however, the windows firewall is not huerestic based it is primarily designed for blocking connections that are not specified on the ACL.

The articles you were reading were probably related to ipchains/iptables which have that ability with custom programming.

If you are looking for something more automated based on anomalies/type of traffic/ddos/dos prevention the only suggestion I would have is a software based firewall designed for deep packet inspection.
0
 
LVL 5

Accepted Solution

by:
xylog earned 500 total points
ID: 34212646
I wrote this batch file before I realized you said UDP. UDP is not connection based so there is no way to check the number of connections. You could do this for tcp with a batch file that used netstat to count connections. For UDP you would have to monitor number of packets per second per IP or something similar. There are perfmon counters for these. I will try to do one for  UDP using the counters.

Please note this batch file uses sort and uniq which are utilities you can find here -> http://sourceforge.net/projects/unxutils/


@echo off 
if exist %temp%\~tempfile.txt del %temp%\~tempfile.txt
if exist %temp%\~tempfile2.txt del %temp%\~tempfile2.txt
if exist %temp%\~tempfile3.txt del %temp%\~tempfile3.txt
for /f "tokens=3" %%i in ('netstat -an ^|findstr /i established^|findstr /v 127.0.0.1') do echo %%i >> %temp%\~tempfile.txt
for /f "delims=:" %%i in (%temp%\~tempfile.txt) do echo %%i>>%temp%\~tempfile2.txt
sort %temp%\~tempfile2.txt|uniq -c > %temp%\~tempfile3.txt
for /f "tokens=1-2" %%i in (%temp%\~tempfile3.txt) do if %%i neq 1 echo Block %%j with %%i connections && netsh advfirewall firewall add rule name="Block %%j" dir=in protocol=any action=block remoteip=%%j

Open in new window

0
 
LVL 5

Expert Comment

by:xylog
ID: 34212664
WARNING!!!! The script above is set to ban any ip with more than one connection!!!! I did this for testing and forgot to change it to 100 or some large value. This can be potentially disastrous especially if you are connecting to a remote server using RDP. You could very easily ban your own ip!!!!!
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 34213328
To avoid confusion, instead of:
"a way to block multiple incoming IP connections"
(which would restrict all but one connection over all)
perhaps
"a way to block multiple incoming connections from the same IP"

A lot depends on what you want.
You can certainly block individual IP addresses or subnets  or contiguous ranges of IP addresses.
In some firewalls, you can make a list of them and group list entires into a single rule.

A good firewwall will deal with such attacks.  Something like Juniper Networks SSG-5 or 20 or ....
0
 

Author Closing Comment

by:ultramoo
ID: 34214000
Thanks for this script. I can now use this idea  and implement a simple program in C to check for multiple IP connections and block them - didn't think of this before.
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now