Q: Does Microsoft IIS 7.0 include a feature to protect an IIS web server from Denial of Service (DoS) attacks? Does Microsoft’s ISA Server 2006 include a similar feature?

A: In a DoS attack, malicious software or agents send a large number of HTTP connection requests to a web server in an attempt to overload the server and make it unresponsive. IIS 7.0 doesn't include a feature to product against such attacks out of the box, but Microsoft recently released the beta for an extension called Dynamic IP Restrictions for IIS 7.0 to protect IIS 7.0 better against DoS attacks.

Microsoft provides the Dynamic IP Restrictions extension as a replacement for the IIS 7.0 IPv4 and Domain Restrictions feature. IPv4 and Domain Restrictions can be used to block requests from certain IP addresses and domain names in a static way—you have to explicitly define the IP address or domain name of a malicious machine or agent in the IIS console.

The Dynamic IP Restrictions extension can block incoming connections from certain IP addresses based on the number of concurrent requests—if an HTTP client makes many concurrent requests, that client's IP address is temporarily blocked. It can also block connections based on the number of incoming requests over a period—if an HTTP client makes many requests over a short period, that client's IP address is temporarily blocked.

The extension can block connections in these two ways without explicitly defining the IP address or domain name of the malicious machine in the IIS console. You simply set a connection limit and IIS will automatically block machines from making new connections if they exceed the limit.

The extension also allows you to define different deny actions. It's possible to specify what response to return to an HTTP client whose IP address is blocked. The module can return status codes 403 and 404 or just drop the HTTP connection and not return any response.

In addition to the new functions listed above, the Dynamic IP Restrictions extension also provides the functionality that exists in the legacy built-in IIS 7.0 IPv4 and Domain Restrictions.

As of the time of writing, the IIS 7.0 Dynamic IP Restrictions extensions are only available as beta code and it's not clear when a final version will be officially released. You can download an x86 version and a 64-bit version. See this IIS.net article for a more detailed description on how to configure the Dynamic IP Restrictions extension.

ISA Server 2006 includes a feature similar to what the Dynamic IP Restrictions extension offers called flood mitigation, which is available out of the box. Flood mitigation lets you define limits for the number of concurrent TCP connections and HTTP requests from a given IP address. For a more detailed description of this ISA Server 2006 feature and how to set it up, see this article and this article.

Related Reading:
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.