[TUT] Prevent Direct IP IIS Flood using CloudFlare

Johno

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
581
245
Hey everyone

I have had many customers contacting me because of others in the community or ex technical staff on their hotels flooding the IIS directly as they had knowledge of the servers IP address. This may help people that are using providers who will not provide support on such issues or may charge a fee to change an IP address.

This will work on any version of IIS

Firstly you need to download IP Address and Domain Restrictions this can be done via the Microsoft website or using web platform installer, in this tutorial I will use web platform installer

Depending on your server providers DDOS protection by using this method you may not need a TCP proxy


3edb3881tut_1.png


You need to choose this option

46f642e3tut_2.png


Once this has installed, return to IIS main page and select the IP address and Domain Restrictions icon


8a98a823tut_3.png


Once you have opened this tab, right click and choose Add Allow Entry

2ea6a866tut_4.png


Now you can begin to add IP addresses to the allowed list, as this tutorial is showing you how to allow CloudFlare IP addresses only I will show you how to add these ranges, thew same method applies to both IPv4 and IPv6

You can find the latest IP ranges list here on the CloudFlare website

You must be registered for see links


You add the IP address and the number after the slash into the Mask or Prefix box, you do this for each range from the CloudFlare website

14cbed98tut_5.png


Next you need to Configure IIS to enforce the allowed list

2b78021ctut_6.png



You need to select the Edit Feature Settings option on the right side of the IP and Domain Restrictions window you have open


84a0fa7etut_7.png


You need to now set the Access for unspecified clients to Deny

420c7347tut_8.png


You need to set the Deny action type to Abort or the connections will still be allowed to make an attempted connection making this useless

If you need to still access your server locally add 127.0.0.1 to the allowed list and visit
You must be registered for see links
instead of
You must be registered for see links


This will not stop all DDOS attacks but can help prevent direct IIS flooding and possibly remove the need for a TCP proxy too.

This can also be achieved using the Windows firewall to block all connections apart from those in the allowed list as stated by @yoyok - If using this method be very careful as incorrect changes to the firewall can leave you unable to connect to the server and some providers may not assist in helping you undo the changes to the firewall.
 
Last edited:
J

Joe

Well-Known Member
Jun 10, 2012
4,090
1,918
NOC said:
Hey everyone

I have had many customers contacting me because of others in the community or ex technical staff on their hotels flooding the IIS directly as they had knowledge of the servers IP address. This may help people that are using providers who will not provide support on such issues or may charge a fee to change an IP address.

This will work on any version of IIS

Firstly you need to download IP Address and Domain Restrictions this can be done via the Microsoft website or using web platform installer, in this tutorial I will use web platform installer

Depending on your server providers DDOS protection by using this method you may not need a TCP proxy


3edb3881tut_1.png


You need to choose this option

46f642e3tut_2.png


Once this has installed, return to IIS main page and select the IP address and Domain Restrictions icon


8a98a823tut_3.png


Once you have opened this tab, right click and choose Add Allow Entry

2ea6a866tut_4.png


Now you can begin to add IP addresses to the allowed list, as this tutorial is showing you how to allow CloudFlare IP addresses only I will show you how to add these ranges, thew same method applies to both IPv4 and IPv6

You can find the latest IP ranges list here on the CloudFlare website

You must be registered for see links


You add the IP address and the number after the slash into the Mask or Prefix box, you do this for each range from the CloudFlare website

14cbed98tut_5.png


Next you need to Configure IIS to enforce the allowed list

2b78021ctut_6.png



You need to select the Edit Feature Settings option on the right side of the IP and Domain Restrictions window you have open


84a0fa7etut_7.png


You need to now set the Access for unspecified clients to Deny

420c7347tut_8.png


You need to set the Deny action type to Abort or the connections will still be allowed to make an attempted connection making this useless

If you need to still access your server locally add 127.0.0.1 to the allowed list and visit
You must be registered for see links
instead of
You must be registered for see links


This will not stop all DDOS attacks but can help prevent direct IIS flooding and possibly remove the need for a TCP proxy too.
Click to expand...
Awesome tutorial man! I’m sure it’ll help a lot of people :)
 
yoyok

yoyok

Member
Apr 24, 2013
197
24
Do you really thing that this will help with advanced flooding (DoS) methods... shake my head.

Instead block it before it reach your orgin server.
 
Johno

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
581
245
yoyok said:
Do you really thing that this will help with advanced flooding (DoS) methods... shake my head.

Instead block it before it reach your orgin server.
Click to expand...
The purpose of this is "if" some how your direct IP address is leaked by ex staff or you do not want to use a TCP proxy this helps prevent attacks, I did state in the tut that "This will not stop all DDOS attacks but can help prevent direct IIS flooding "

This is a cheap and effective handy tip I am giving as you can have as much protection you want sitting in front of your IIS but someone gets the direct IP address of the server the third party protection is useless.
 
yoyok

yoyok

Member
Apr 24, 2013
197
24
NOC said:
The purpose of this is "if" some how your direct IP address is leaked by ex staff or you do not want to use a TCP proxy this helps prevent attacks, I did state in the tut that "This will not stop all DDOS attacks but can help prevent direct IIS flooding "

This is a cheap and effective handy tip I am giving as you can have as much protection you want sitting in front of your IIS but someone gets the direct IP address of the server the third party protection is useless.
Click to expand...

I would rather then use the webserver 'Firewall advanced' method to allow only Cloudflare IP's. It's more effectieve.
 
Johno

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
581
245
yoyok said:
I would rather then use the webserver 'Firewall advanced' method to allow only Cloudflare IP's. It's more effectieve.
Click to expand...
That is your choice, this is a tutorial to help people who are still learning, not really a discussion. There are lots of ways to archive the same end result
 
yoyok

yoyok

Member
Apr 24, 2013
197
24
NOC said:
That is your choice, this is a tutorial to help people who are still learning, not really a discussion. There are lots of ways to archive the same end result
Click to expand...
The method i explained with your method will have much more better result! If you don't mind, just add it to your thread too. :')
 
Johno

Johno

:: xHosts :: www.xhosts.uk
Sep 12, 2011
581
245
yoyok said:
The method i explained with your method will have much more better result! If you don't mind, just add it to your thread too. :')
Click to expand...
I added it to the bottom of the tut, I chose to release this as I felt due to some people being very new making changes to a firewall if you do not understand the full implications can result in losing access to the server, as a provider we are happy to help customers regain access but I am aware of some who will issue a charge for this or just flat out refuse to assist on unmanaged services.
 

Users who are viewing this thread

Total: 2 (members: 0, guests: 2)
☀️  Switch to Light Theme

Latest posts

Top