More cool stuff from IIS team – The Dynamic IP Restrictions module (beta)

Tags: IIS

Hot off the presses!

The Dynamic IP Restrictions includes these key features:
  • Blocking of IP addresses based on number of concurrent requests – If HTTP client makes many concurrent requests then that client’s IP address gets temporarily blocked.
  • Blocking of IP address based on number of requests over a period of time – If HTTP client makes many requests over short period of time then that client’s IP address gets temporarily blocked.
  • Various deny actions – it is possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and do not return any response.
  • Logging of denied requests – all dynamically denied requests can be logged into a W3C formatted log file.
  • Displaying currently blocked IP addresses – a list of currently blocked IP addresses can be obtained by using IIS Manager or by using IIS RSCA API’s.
  • IPv6 – the module fully supports IPv6 addresses.
In additions to these features, the Dynamic IP Restrictions for IIS 7.0 provides the same functionality that exists in IIS 7.0 built-in IPv4 and Domain Restrictions. Because of that the Dynamic IP Restrictions is provided as a replacement for IPv4 and Domain Restrictions.More informationModule walkthrough: http://learn.iis.net/page.aspx/548/using-dynamic-ip-restrictions/Support forum: http://forums.iis.net/1043.aspx

8 Comments

  • http:// said

    Urm, apache has had these features for about a decade..but I'm happy that IIS are there now.

  • http:// said

    Finally! Dynamic blocking rules have been sorely missing for some time, and firewall based solutions are expensive on a number of levels. This is a welcome extension. Now if they can get it out of beta.

  • steve schofield said

    Hope they come out with something for FTP also. I'm not familiar enough with Apache beyond the basics.

  • http:// said

    Yawn. Wake me when IIS runs in true 64-bit mode, doesn't have to recycle the app pool every 2 hours on a busy web site, and is as reliable as Apache.
    —Downer Dave
    P.S. This from a dude that doesn't like Apache.

  • http:// said

    Great – id like to see this functionality implemented in every server process on the internet. It really makes architectural sense to me to embed this functionality in every server. As a lucky side effect data centres would use more energy with that extra processing requirement. Power companies could then drag us out of the financial crisis.

  • Jason P Sage said

    Well, I like many Web Server software – and of course I'm biased for my own – Jegas Application Server, but I am pleased to hear my friendly Microsoft Shop Clients will have this ability, though Downer Dave's comment made me grin at the same time.

    Personally I think techniques like these and others like "Knock Knock – Who's There" for secure systems, and variaties of the said blocking IP techniques that allow – "forgiveness"… (Time elapsed release of ban) … 2nd Offense… (Longer Time Elapsed Forgiveness) – 3rd Time – permanent/Admin discretion ban implemented – or some user configurable variation/version of this as some IP's are genuinely used by nuisance user one day, and the next the same pc is used by someone's Grand Mother… But obviously repeated attempts from the same IP warrant the Server protecting its computing horse power and data via whatever means available – BAN BAN BAN 🙂

    –Jason P Sage

Add a Comment