4.11 Ensure 'Dynamic IP Address Restrictions' is enabled - Deny By Concurrent Requests

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified number of requests or request frequency.

Note: Ensure that you receive the Forbidden page once the block has been enforced.

Rationale:

IIS Dynamic IP Address Restrictions capability can be used to thwart DDos attacks. This is complimentary to the IP Addresses and Domain names Restrictions lists that can be manually maintained within IIS. In contrast, Dynamic IP address filtering allows administrators to configure the server to block access for IPs that exceed the specified request threshold. The default action Deny action for restrictions is to return a Forbidden response to the client.

Impact:

Clients will receive a forbidden response when the specified number of requests or request frequency is exceeded.

Solution

Open IIS Manager.

Open the IP Address and Domain Restrictions feature.

Click Edit Dynamic Restrictions Settings..

Check the Deny IP Address based on the number of concurrent requests and the Deny IP Address based on the number of requests over a period of time boxes. The values can be tweaked as needed for your specific environment.

OR

Enter the following command in PowerShell to configure:

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests' -name 'enabled' -value 'True'

Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests' -name 'maxConcurrentRequests' -value <number of requests>

Default Value:

By default Dynamic IP Restrictions are not enabled.

See Also

https://workbench.cisecurity.org/files/4131