Windows Azure Website DIPR Dynamic IP Restrictions

Last week, I posted about Windows Azure Websites Always On as a means to keep your website hot and ready for guest access. Today, I’m going to cover how to make your website more secure in the fight against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

DoS and DDoS attacks are becoming more and more commonplace on the internet and as a site grows more successful and out there in the public eye, the greater your chances of being attacked. If you are running your web site on Windows Azure then the good news is that you are largely already covered as Microsoft employ various security products and technologies to protect the Windows Azure environment. You can find out more about what Microsoft do to protect Azure at the Windows Azure Trust Center at http://www.windowsazure.com/en-us/support/trust-center/security/.

What is Dynamic IP Restrictions

With the above in mind regarding in-built protection in Windows Azure, you can still do more to help yourself with the help of an IIS extension called Dynamic IP Restrictions or DIPR for short. DIPR is available on the Windows Azure Web Sites platform without any plugin or module installationon your part. All you need to do as a site owner or administrator is enable it for use on your site and configure some thresholds. All of this is done through the web.config file for your site.

Configure Dynamic IP Restrictions

To access the Windows Azure Web Site web.config file, use FTP or FTPS to access your wwwroot web site path using your deployment credentials and your favourite FTP client. If you don’t know or remember these then you can view the username in use and reset the password from the Windows Azure Management Portal at https://manage.windowsazure.com.

To enable Dynamic IP Restrictions for your site, add the following lines to your web.config file.

         <denyByRequestRate enabled="true" maxRequests="500" requestIntervalInMilliseconds="5000"/>

The system.webServer node will already exist in your web.config file and there is a chance that the security node may exist already too so check for these and add appropriate lines in the correct place otherwise you risk bringing your site crashing down due to a bad configuration file.

With the lines installed in the file, you need to configure the denyByRequestRate node of dynamicIpSecurity with an appropriate rate limit. maxRequests determines the number of requests a given client IP address may send to the site and requestIntervalInMilliseconds determines the timeframe over which the DIPR extension for IIS will count the number of requests.

Change the Restriction Response Code

When a client breaches the threshold given, the default posture of DIPR is to present the client with a HTTP 403 Forbidden code however you can customise this with any of the following codes:

  • AbortRequest 0
  • Unauthorized 401
  • Forbidden 403
  • NotFound 404

To customise the response, amend the dyanmicIpSecurity node with the denyAction parameter as follows. Just exchange the option inside the denyAction quotation marks with the response you want to use.

<dynamicIpSecurity denyAction="AbortRequest">

Setting the rate for the maxRequests and requestIntervalInMilliseconds is the hardest part here as you need to balance security over functionality. If your site was particularly popular with one company who uses a proxy appliance to route their internet traffic then you could see a high volume of connections coming from a single public IP address which means you may need to raise your limits. Having the limit too high though means that you will be allowing potential attackers the freedom of a head-start against the site before DIPR cuts in to fend them off.

Protect an On-Premise IIS Web Server

My closing remark on this is that although I’ve spoken about DIPR with respect to Windows Azure Web Sites, you can also install this extension for IIS on Windows Server and use it to protect internal corporate sites against disgruntled employees or to protect IIS on Windows Server running in a DMZ segment to protect your on-premise hosted publicly accessible websites. You can download and install DIPR by using the Web Platform Installer (Web PI) from Microsoft at http://www.microsoft.com/web/downloads/platform.aspx.