Training
Module
Introduction to Azure DDoS Protection - Training
Learn how to guard your Azure services from a denial of service attack using Azure DDoS Protection.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
by Nazim Lala
The Dynamic IP Restrictions (DIPR) module for IIS 7.0 and above provides protection against denial of service and brute force attacks on web servers and web sites. To provide this protection, the module temporarily blocks IP addresses of HTTP clients that make an unusually high number of concurrent requests or that make a large number of requests over small period of time.
The Dynamic IP Restrictions module includes these key features:
You can try the following methods to install the Dynamic IP Restrictions:
From the Select Role Services screen, navigate to Web Server (IIS) > Web Server > Security. Check the IP and Domain Restrictions check box and click Next to continue.
You must have one of the following operating systems.
If you are using the first Beta release of the DIPR module, you must uninstall it before you install the Release Candidate, or an error will occur and the installation will fail. Make sure you back up your configuration before uninstalling the Beta version.
If you are using the Beta 2 release of the DIPR module you can upgrade directly to the final release. Your configuration settings will be preserved.
The Dynamic IP Restrictions can be configured by using either IIS Manager, IIS configuration APIs or by using command line tool appcmd.
To access Dynamic IP Restriction settings in IIS Manager follow these steps:
When using this option, the server will allow any client's IP address to make only a configurable number of concurrent requests. Any additional requests that exceed the specified limit will be denied.
A simple way to test this feature is to set the maximum number of concurrent requests to 2 by either using UI or by executing appcmd command:
%WINDIR%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/dynamicIpSecurity
/denyByConcurrentRequests.enabled:"True"
/denyByConcurrentRequests.maxConcurrentRequests:"2"
/commit:apphost
In the root folder of your web site create a file test.aspx and paste the following content into it:
<%@ Page Language="C#" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
System.Threading.Thread.Sleep(3000);
}
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Dynamic IP Restrictions Test</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<h1>Hello World!</h1>
</div>
</form>
</body>
</html>
This ASP.NET page for 3 seconds before returning any response. Save the file and then open web browser, request http://localhost/test.aspx
and then continuously hit F5 to refresh the browser. This will result in browser making more than 2 concurrent requests so as a result you will see the 403 - Forbidden error from server:
Important
When configuring number of concurrent requests for a real web application, thoroughly test the limit that you pick to ensure that valid HTTP clients do not get blocked. This is especially important for Rich Internet Applications that have AJAX enabled web pages and serve media content.
When using this option the server will deny requests from any HTTP client's IP address that makes more than configurable number of requests over a period of time. The IP address will remain blocked until the number of requests within a time period drops below the configured limit.
To test this feature set the "Maximum number of requests" to 5 and "Time period" to 5000 by using either IIS Manager or by executing appcmd command:
%WINDIR%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/dynamicIpSecurity /denyByRequestRate.enabled:"True" /denyByRequestRate.maxRequests:"5" /denyByRequestRate.requestIntervalInMilliseconds:"5000" /commit:apphost
Open web browser, request http://localhost/welcome.png
and then hit F5 to continuously refresh the page. This will generate more than 5 requests over 5 seconds so as a result you will see server responding with 403 - Forbidden status code:
If you wait for another 5 seconds when all the previous requests have executed and then make a request, the request will succeed.
Important
When configuring number of allowed requests over time for a real web application, thoroughly test the limits that you pick to ensure that valid HTTP clients do not get blocked. This is especially important for Rich Internet Applications that have AJAX enabled web pages and serve media content.
The module can be configured to perform the following actions when denying requests for IP addresses:
If your web servers are behind a firewall or proxy machine, then the client IP for all requests might show up as the IP of the proxy or firewall server. This would hamper the ability for Dynamic IP Restriction module to be useful. Most of such servers however add an X-Forwarded-For header in the HTTP request that contains the original client's IP address. Selecting the "Proxy" mode checkbox in the main Dynamic IP Restrictions configuration page will check for client IP address in this header first.
Training
Module
Introduction to Azure DDoS Protection - Training
Learn how to guard your Azure services from a denial of service attack using Azure DDoS Protection.