How Can You Stop Bandwidth Hammering on a Windows Server?
Our Windows Server 2003 Standard Edition server is getting hit pretty hard by some individuals or bots from China. This attack is trying to saturate our connection by requesting lots of large files from one of the sites in IIS. The peak of the attack was 60mbps outgoing, with a 30mbps average for almost 9 hours. The server was connected via a 100mbps connection at the time.
I enabled IIS logging on the site for about a minute and managed to find about 10 IP's from China hammering the server. I added the IP's to the denied-IP list in IIS and bandwidth is now back to normal levels. I have also had the connection capped to 20mbps as this is our pre-paid bandwidth allowance on a monthly-average basis. However, now this will cause problems if the connection is saturated. I have tried limiting the bandwidth usage that IIS will allow to 1500kb/sec, but for some reason IIS is serving bandwidth beyond this limit.
Are there any programs that exist which can tell you what destination IP's are using the most bandwidth? Are there any programs/filters that can limit bandwidth hammering on a per-visitor basis for IIS or the server as a whole?
Just about any stats program is going to require either log files or data written to a file of some sort. Its also somewhat common when you see traffic like that to instad of banning individual IP's ban netblocks/country blocks. Sadly, a lot of attacks like that come from korea/china/etc.
Net-block blocking sounds like a good idea. It's just a shame there's no automated blocking software available for Windows. I can see this is going to consume a lot of time in the future if they change IP's regularly.
The server is currently using a strict IPSec policy. There's no other form of a firewall, hardware or software wise. We don't appear to be suffering from a DoS attack.