14 DAY TRIAL // A new tool available for download from Microsoft at no charge is designed to add an extra layer of defense against Denial of Service and Brute-force password cracking attacks. Dynamic IP Restrictions Beta is offered for free and is set up to integrate seamlessly with Internet Information Services 7.0. At the start of this week, Dynamic IP Restrictions for IIS 7.0 debuted into Beta stage, with Microsoft offering no indication as when it planned to release the solution to web. Still, administrators can already grab the extension and start testing it.
“The IIS team has released the Dynamic IP Restrictions Extension for IIS 7.0 - Beta. The Dynamic IP Restrictions Extension provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level,” Ruslan Yakushev, a program manager on the Microsoft IIS team in charge of FastCGI and PHP support, revealed.
Essentially, what the Dynamic IP Restrictions for IIS 7.0 is designed to do is identify HTTP clients that make a high volume of concurrent requests and react in accordance by classifying the behavior as an attack and block that client's IP address. In addition to monitoring the concurrency of requests, the extension also tracks the number of requests over short periods of time, which could also be indicative of an attack, resulting in the blocking of IP addresses.
At the same time, Dynamic IP Restrictions for IIS 7.0 is capable of “various deny actions – it is possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and do not return any response. Logging of dynamically denied requests – all denied requests can be logged into a W3C formatted log file. Displaying currently blocked IP addresses – a list of currently blocked IP addresses can be obtained by using IIS Manager or by using IIS RSCA API’s. IPv6 – the module fully supports IPv6 addresses,” Yakushev added.
Dynamic IP Restrictions Beta for IIS 7.0 is available for download here.