0

I have an ongoing issue with my server. I have looked through my IIS records and found an inordinate amount of hits to my site by the same address/Domain. I did my homework and looked this up IP address matches the site shown. It appears that the s-ip is the same along with the CS-Host being the same. The s-ip is all over the place. I am not an admin by any means. I looked up how to ban IP addresses and have put the ip address in as deny. However they are continuing to hit the site. I did this at server level and not just on the domain of my site. It has placed this under every site as well. Is there a possiability that they are spoofing the ip address and the domain? I feel like someone is using this particular domain for spamming. I am scratching my head to why the deny is not working..

The domain that is showing up appears to be parked.

The procedure i have done is going into IIS Manager and added the address to IP and Domain Restrictions. Mode = Deny Requestor = IPAddress Entry = Local

Any help with this would be great.

Scott Purtan
  • 237
  • 1
  • 10
  • You cannot block the values of "s-ip", as that's the IP address of this web server, https://learn.microsoft.com/en-us/windows/win32/http/w3c-logging So please do more homework on IIS. – Lex Li Nov 18 '19 at 22:46
  • @LexLi so i have to block all of these individual IP addresses? under the c-ip? there is alot of them and i do not want to block potential customers that come to my site. isn't there some higher level solution? Again i am not a server admin. – Scott Purtan Nov 19 '19 at 02:13
  • Please use a site such as https://security.stackexchange.com/ or simply hire a security professional to walk you through the basics of internet security. In general, what IIS offers (static/dynamic IP blocking) is too simple for real world usage, so drilling down into the settings can be a waste of time when your true risks are elsewhere. That's also why security related products are available for purchase, https://www.cloudflare.com/en-ca/ddos/ Of course, if you prefer manual blocking, you can feel free to. – Lex Li Nov 19 '19 at 02:29
  • @LexLi funny you should say that alot of these ip address i am looking up come from cloudflare. So i don't see how something that is supposed to protect me is being used to attack my server... – Scott Purtan Nov 19 '19 at 02:44
  • @ScottPurtan You could try to deny the specif IP address by using iis IP and domain name restriction [image](https://i.stack.imgur.com/UOlqD.png) – Jalpa Panchal Nov 19 '19 at 06:33
  • @JalpaPanchal that is what i did but did it for the s-ip, apparently what i have been told in the comments you cannot do that. Trying to deny all the individual c-ip addresses would just be a nightmare on top of possibly banning current and future customers from the site. My belief is that whoever is doing this is using random ip addresses through the site that is listed. The c-ip addresses are all over the place. I was having an issue with my contact form on the site sending out blank forms to me and probably something else to whoever. since i denied the s-ip that has stopped! – Scott Purtan Nov 19 '19 at 19:38
  • s-ip is The IP address of the server on which the log file entry was generated.also check the iis log in which status code is shown for the blocked IP address. you could use Deny IP Address based on the number of concurrent requests which help you to Denies requests from an IP address when the number of concurrent requests exceeds the specified maximum number of concurrent requests [image](https://i.stack.imgur.com/5zBlc.png). – Jalpa Panchal Nov 20 '19 at 09:00
  • @JalpaPanchal so now i am confused. s-ip is the server that the log was generated on? Which would be my server right? The s-ip does not come back to my server it comes back to the domain that is listed under cs-host. So i guess my question now is, are they using my server to hit the other server? – Scott Purtan Nov 20 '19 at 19:28
  • No, it is not what you thinking please refer to this [link](https://learn.microsoft.com/en-us/windows/win32/http/w3c-logging) of the iis logging you will get batter idea about all the fields. if someone requests your site it will log in to the c-IP field. as you said if you want to restrict based on the frequent request you could use Deny IP Address based on the number of concurrent requests [image](https://i.stack.imgur.com/5zBlc.png) – Jalpa Panchal Nov 21 '19 at 01:24

0 Answers0