Followup to Identifying DDOS Attacks on Windows 2008 Servers.
What steps are people taking to prevent DDOS attacks against their Windows 2008 Servers in a hosted environment?
I'm particularly interested in ways that don't involve a separate hardware firewall, but rather things that can be done with software or configuration of the server itself.
MS has an article called How To: Harden the TCP/IP Stack. Does anyone have experience (or thoughts) on the success of those steps?
In practice, at the small scale you simply can't protect from a real DDOS as even ignoring resource usage issues it's very easy for even a thousand machines to swamp quite a large connection.
The only real things to do is standard config and hardening, ensuring only what's needed is running, and that what is needed it configured optimally.
Hopefully your ISP / colo will have some procedures to fix some things at their end if there are any attacks. However, unless you're a gambling, pornography or other (legal) fringe site such an attack is extremely unlikely.
Truthfully told, there's not a lot you can do to guard against a real DDoS attack at the server level. There's no setting you can tweak that's going to defends you against gigs of traffic targeted at a specific server.
To prevent the symptoms of a DDoS, the best (and most expensive way) is to use a service like Prolexic which aggregates tons and tons of bandwidth and cleans your traffic. There are also devices which you can use to help filter out bad traffic, but again, it depends on what kind of Internet you have coming into the data center you're in. If they're on an OC-3, a DDoS could completely saturate the connection from multiple providers and no device in the world is going to save you from that. If you're in a place that has gigs and gigs of pipe, then those appliances can be more useful.
To stop the symptoms of a DDoS, you really need some kind of cooperation with the providers of your data center's ISPs. There's only so much you can do on your own.
Hardening the IP stack certainly works and helps (the syn attack protection especially), as well as ensuring that the built in windows firewall is enabled and allowing only what is required in and out. One of the things mentioned in your previsous question was when you disabled inbound access things went back to normal, but that it wasn't http connections. The firewall should be set to only allow port 80/443 on the public interface. Depending on your particular needs a seperate firewall/IDS may or may not be needed. If you're a single company hosting your own website, you can probably slide under the radar. If you are a web hosting provider, you will most certainly want a seperate firewall.
http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions
IIS "Dynamic IP Address Restrictions" extension blocks IP addresses on suspicious activity. helped us to solve the HTTP flooding issue
