how to limit the # of connections per IP address in IIS

I'm running windows server 2012 R2.  Looks like someone attempted to hack us, as we had over 3800 https requests in a few minutes on our webserver, which crashed our server.  The 3800 requests all came from 4 different IP addresses in a few minutes time.

Is there a way in IIS to limit the total number of connections per IP address?
Basically, I want to stop what just occurred this morning from happening in the future.

I came across this, but this limits the total connections for the server, there's no option for limiting connections by IP address.
http://www.iis.net/configreference/system.applicationhost/sites/site/limits

I don't want to limit the total connections for the server because then I can be limiting legit traffic.

During this time, my SQL server was running at 99%, so it stopped everything.

Any thoughts how to solve this issue?
DanNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VB ITSSpecialist ConsultantCommented:
You can enable the IP and Domain Restrictions feature within IIS in Server 2012 R2 to dynamically block IPs that exceed a specified number of requests. See the steps in this article to install and configure this feature on your server: http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
R. Toby RichardsNetwork AdministratorCommented:
Do you know what the requests were trying to access? It sounds like it was an attempt to do something malicious. There's an open source Host Intrusion Prevention System (HIPS) called OSSEC:

http://www.ossec.net/

You can set it to blacklist an IP address that attempts to do something bad. For example, if the same IP address tries to log onto your server as Administrator 10 times in 2 minutes, then that IP can be blocked for good, or for, say, 10 minutes. It will also alert you via e-mail about activity that it detects.
0
DanNetwork EngineerAuthor Commented:
Thanks guys, I came across the  IIS IP and domain restrictions plugin a few minutes before you made the post, but thank you.

In regards to the OSSEC, looks like it's not available anymore on windows.  I'm running windows servers.
Plus, the website says they don't have a compiler for windows anymore.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.