• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2568
  • Last Modified:

how to limit the # of connections per IP address in IIS

I'm running windows server 2012 R2.  Looks like someone attempted to hack us, as we had over 3800 https requests in a few minutes on our webserver, which crashed our server.  The 3800 requests all came from 4 different IP addresses in a few minutes time.

Is there a way in IIS to limit the total number of connections per IP address?
Basically, I want to stop what just occurred this morning from happening in the future.

I came across this, but this limits the total connections for the server, there's no option for limiting connections by IP address.
http://www.iis.net/configreference/system.applicationhost/sites/site/limits

I don't want to limit the total connections for the server because then I can be limiting legit traffic.

During this time, my SQL server was running at 99%, so it stopped everything.

Any thoughts how to solve this issue?
0
Dan
Asked:
Dan
2 Solutions
 
VB ITSSpecialist ConsultantCommented:
You can enable the IP and Domain Restrictions feature within IIS in Server 2012 R2 to dynamically block IPs that exceed a specified number of requests. See the steps in this article to install and configure this feature on your server: http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions
1
 
R. Toby RichardsNetwork AdministratorCommented:
Do you know what the requests were trying to access? It sounds like it was an attempt to do something malicious. There's an open source Host Intrusion Prevention System (HIPS) called OSSEC:

http://www.ossec.net/

You can set it to blacklist an IP address that attempts to do something bad. For example, if the same IP address tries to log onto your server as Administrator 10 times in 2 minutes, then that IP can be blocked for good, or for, say, 10 minutes. It will also alert you via e-mail about activity that it detects.
0
 
DanNetwork EngineerAuthor Commented:
Thanks guys, I came across the  IIS IP and domain restrictions plugin a few minutes before you made the post, but thank you.

In regards to the OSSEC, looks like it's not available anymore on windows.  I'm running windows servers.
Plus, the website says they don't have a compiler for windows anymore.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now