Solved

Block Multiple Incoming IP connections using Windows Firewall

Posted on 2010-11-25
9
1,370 Views
Last Modified: 2012-05-10
I'm using a Windows 2008 server and wanted to know if there was a way to block multiple incoming IP connections to the server using Windows Firewall?

eg If there is 4 connections from the SAME IP. It would prevent it from allowing additional connections OR it would block that IP completely.

This is to prevent certain security issues I’ve been getting - mainly due to UDP flooding.
0
Comment
Question by:ultramoo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212240
If you block that IP it will block all connections you do not need to specify the service your blocking unless you set it up that way.
0
 

Author Comment

by:ultramoo
ID: 34212346
problem is everyday I have about 5 to 6 differnet IPs that attempt to attack. It makes it difficult to manually add IP blocks all the time. So i need somthing automated that will block for me when the attack occures
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212354
Is this server public facing? Would it be worthwhile to implement a hardware firewall that has IPS/IDS? This would take all the stress of the machine
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:ultramoo
ID: 34212371
I run public game serves and our popularity is rapidly increasing. Some of the game servers are not well implemented and have many issues. I've read an artical explain how to fix some of the issues and which of them is to block multuple IP connections. They gave instructions for linux but not windows. So there is no way for windows to do this?
0
 
LVL 6

Expert Comment

by:fluk3d
ID: 34212394
You can block the entire subnet if they are "like" however, the windows firewall is not huerestic based it is primarily designed for blocking connections that are not specified on the ACL.

The articles you were reading were probably related to ipchains/iptables which have that ability with custom programming.

If you are looking for something more automated based on anomalies/type of traffic/ddos/dos prevention the only suggestion I would have is a software based firewall designed for deep packet inspection.
0
 
LVL 5

Accepted Solution

by:
xylog earned 500 total points
ID: 34212646
I wrote this batch file before I realized you said UDP. UDP is not connection based so there is no way to check the number of connections. You could do this for tcp with a batch file that used netstat to count connections. For UDP you would have to monitor number of packets per second per IP or something similar. There are perfmon counters for these. I will try to do one for  UDP using the counters.

Please note this batch file uses sort and uniq which are utilities you can find here -> http://sourceforge.net/projects/unxutils/


@echo off 
if exist %temp%\~tempfile.txt del %temp%\~tempfile.txt
if exist %temp%\~tempfile2.txt del %temp%\~tempfile2.txt
if exist %temp%\~tempfile3.txt del %temp%\~tempfile3.txt
for /f "tokens=3" %%i in ('netstat -an ^|findstr /i established^|findstr /v 127.0.0.1') do echo %%i >> %temp%\~tempfile.txt
for /f "delims=:" %%i in (%temp%\~tempfile.txt) do echo %%i>>%temp%\~tempfile2.txt
sort %temp%\~tempfile2.txt|uniq -c > %temp%\~tempfile3.txt
for /f "tokens=1-2" %%i in (%temp%\~tempfile3.txt) do if %%i neq 1 echo Block %%j with %%i connections && netsh advfirewall firewall add rule name="Block %%j" dir=in protocol=any action=block remoteip=%%j

Open in new window

0
 
LVL 5

Expert Comment

by:xylog
ID: 34212664
WARNING!!!! The script above is set to ban any ip with more than one connection!!!! I did this for testing and forgot to change it to 100 or some large value. This can be potentially disastrous especially if you are connecting to a remote server using RDP. You could very easily ban your own ip!!!!!
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 34213328
To avoid confusion, instead of:
"a way to block multiple incoming IP connections"
(which would restrict all but one connection over all)
perhaps
"a way to block multiple incoming connections from the same IP"

A lot depends on what you want.
You can certainly block individual IP addresses or subnets  or contiguous ranges of IP addresses.
In some firewalls, you can make a list of them and group list entires into a single rule.

A good firewwall will deal with such attacks.  Something like Juniper Networks SSG-5 or 20 or ....
0
 

Author Closing Comment

by:ultramoo
ID: 34214000
Thanks for this script. I can now use this idea  and implement a simple program in C to check for multiple IP connections and block them - didn't think of this before.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question