Windows Server 2008: Limit UDP/TCP packets per IP or ban

ddosfloodingwindows-firewallwindows-server-2008

How I can limit UDP/TCP packets per IP send to my host (or better PORT) per second or minute ?
Would be nice to ban that IP for 12/24 hours or even for ever.

I got Windows Server 2008 and I'm very poor in Windows administration but quite good in Linux.

EDIT:
By basic problem is that They sending a lot of rubbish UPD and TCP packets.. TCP packets without SYNCH, fragmented UDP packets so my servers stop responding..

So I need to cut off users (IPs) sending more than X packets per second. I need solution witch provides me, somehow, configurable:
X packets of certain type (UDP, TCP or both – lets say parameter named Z ) are allowed to be received by IP on Y port, otherwise this packet should be DROPPED.

My virtual hosts are hosted by VirtualBox and I'm able to forward all incoming packets certain type and certain port to the specific Virtual Host, but I need to DROP them before my VirtualBox receive them.

My Net

Best Answer

To be onest with you, D-DOS attacks are very hard to remediate without creating redundanci a the network and server level and loadbalancing and blocking offending machines, even there if there is such a coordianted effort to bring you down and they have more resources than you, well, you are sol.

What i would recomend as the best solution, would be to invest money on a hardware solution to weed out bad traffic. the Juniper SRX branch firewalls support ddos protection and other cool features to protect your network at a relative accesible budget.

the second solution would be to use a software based firewall and create customs scripts that poll the network usage and reacts blocking this device.

i would recomend WIPFW http://wipfw.sourceforge.net/ wich comes from the BSD world

WIPFW is a MS Windows operable version of IPFW for FreeBSD OS. You can use the same functionality and configure it as only you work with IPFW.

IPFW is a packet filtering and accounting system which resides in the kernelmode, and has a user-land control utility, ipfw. Together, they allow you to define and query the rules used by the kernel in its routing decisions.

There are two related parts to ipfw. The firewall section performs packet filtering. There is also an IP accounting section which tracks usage of the router, based on rules similar to those used in the firewall section. This allows the administrator to monitor how much traffic the router is getting from a certain machine, or how much WWW traffic it is forwarding, for example.

As a result of the way that ipfw is designed, you can use ipfw on non-router machines to perform packet filtering on incoming and outgoing connections. This is a special case of the more general use of ipfw, and the same commands and techniques should be used in this situation.

Related Topic