A Denial-Of-Service (DOS) attack can target any application/tenant should it be hosted in Windows Azure or hosted by an ISP. If you are using Azure Web Sites or IIS in a VM (IAAS), a simple way to mitigate such attack would be to enable Dynamic IP Restrictions as described in many blog articles:
Configuring Dynamic IP Address Restrictions in Windows Azure Web SitesIIS 8.0 Dynamic IP Address RestrictionsUsing Dynamic IP Restrictions (documentation for IIS7/7.5)
The following steps described how to install Dynamic IP Restrictions in a Cloud Service/Web Role using a startup task on any OS Family (1-4):
[Windows 2008/IIS7 & 2008 R2/IIS7.5]
[Windows 2012/IIS8 & 2012 R2/IIS8.5]
If Dynamic IP Restrictions are not enabled, check the content of log.txt file (dir E:\approot\*.log.txt)
If you connect on you web role using Internet Explorer, you may get this error during the time where your IP is "blacklisted" :
%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/security/dynamicIpSecurity /denyByConcurrentRequests.enabled:"True" /denyByConcurrentRequests.maxConcurrentRequests:"30" /denyByRequestRate.enabled:"True" /denyByRequestRate.maxRequests:"30" /denyByRequestRate.requestIntervalInMilliseconds:"5000" /commit:apphost >> log.txt
<dynamicIpSecurity><denyByConcurrentRequests enabled="true" maxConcurrentRequests="30" /><denyByRequestRate enabled="true" maxRequests="30" requestIntervalInMilliseconds="5000" /></dynamicIpSecurity>
I hope you've enjoyed this article as much as I enjoyed writing it & Thanks,
Emmanuel BoersmaCloud Integration Engineer
Works like a charm :) Thanks for that. There is only one caveat - the task tag should wrap the Environment tag.
Thanks for the feedback Ilija! I've fixed the task tag issue.