Pattern Based DDOS Blocking

From Hostek.com Wiki
Jump to: navigation, search

This article will cover pattern-based ddos blocking in a Windows IIS environment.

Identifying Patterns

If you suspect that your site may be under a DDOS attack, the first place to look will be the HTTP logs. This is where the web server records information for each request made to a site. For domains added using our control panel, the default log directory will be:

C:\home\domainname.com\logs\W3SVC##

For sites added to IIS manually, the default log directory will be:

C:\inetpub\logs\LogFiles\W3SVC##

NOTE: ## represents the site's ID number as shown in IIS.


After finding the log directory, check the log with the date of the attack or the log for today if the attack is still in progress. First, glance over the log file to determine if there is truly an attack in progress. If you can identify traffic that you are certain is not normal traffic, check for patterns in that traffic that we can use to block it. Specifically, look for any combination of the following that are the same for every bad request:

URL
REQUEST METHOD
QUERY STRING
USER-AGENT

If you can identify enough of the above request details that are the same for every bad request without blocking normal site traffic, then continue to the next section to add the blocking rule.

Creating Block Rule(s)

In IIS, browse to the site that is being hit by the attacks, and open the URL Rewrite tool. Add a new 'Blank rule'. Enter a name and set the 'Action type' to 'Abort Request'. The rest of the options you use will depend on which request details are being matched. Below are some guidelines:

  • URL: The URL is specified in the 'Pattern' field.
  • REQUEST METHOD: Add a condition with the following details:
Condition input: {REQUEST_METHOD}
Pattern: GET (or POST or HEAD or whichever request method is being used in the attack)
  • QUERY STRING: Add a condition with the following details:
Condition input: {QUERY_STRING}
Pattern: ** query string pattern **
  • USER-AGENT: Add a condition with the following details:
Condition input: {HTTP_USER_AGENT}
Pattern: ** user-agent string **

NOTE: The 'Pattern' input fields are entered as Regular Expressions. If you are not familiar with using Regular Expressions, you may need to request assistance with setting up the proper rule.

Davidd (talk) 11:37, 14 April 2014 (CDT)