by Stian

IIS Dynamic IP Restrictions

We just discovered the Dynamic IP Restrictions (DIPR) module for IIS 7.0 and above, which provides protection against denial of service and brute force attacks on web servers and web sites. This module is still, as of may 2012, only in “RC” version, but is absolutely worth a try.

The Dynamic IP Restrictions module includes these key features:

Inetmgr_DIPR

  • Blocking of IP addresses based on number of concurrent requests – If an HTTP client exceeds the number of concurrent requests allowed, that client’s IP address gets temporarily blocked.
  • Blocking of IP address based on number of requests over a period of time – If an HTTP client exceeds the number of requests made over a specified time interval, that client’s IP address gets temporarily blocked.
  • Allow list of IP addresses that will not be blocked – You can add a list of the IP addresses of clients you want to exclude from being blocked by the module regardless of other configuration.
  • Various deny actions – You can specify which response to return to an HTTP client for which the IP address is blocked. The module can return status codes 403 and 404 or just terminate the HTTP connection and not return any response.
  • Support for web servers behind a proxy – If your web server is behind a proxy, you can configure the module to use the client IP address from an X-Forwarded-For header.
  • IPv6 – the module provides full support for IPv6 addresses.

You can download the release candidates here: