What's the optimal "Dynamic IP Restriction Settings" in IIS8
So I have turned this on in my Azure cloud service site to try mitigate spiders and bots hitting us an absurd amount of times.
Has anyone had any experience with these settings?
Deny IP address based on the number of concurrent request: Maximum number of concurrent requests?
Deny IP address based on the number of requests over a period of time: Maximum number of request? Time period (in milliseconds)?
Answer
An experimental approach to find sensible settings
I have recently been experimenting with these settings to decide on values for our production site.
We determined the maximum number of requests a single (request-heavy) page generates, and multiplied that with 2.5 to get the maximum number of requests over time. For the time value I chose 200ms.
Manual testing shows that these settings work fine for "normal" usage. We manage to get some 403 Forbidden when we simultaneously reload the page in 5 or more tabs in the browser.
Something you have to keep in mind is that many users of your website may be sitting behind the same proxy, so the Dynamic IP Restrictions consider these users as only one. With the rather short window of 200ms I expect that this will not be a problem, while still blocking aggressive DoS attacks to some extent.
Also, we do not restrict the number of simultaneous connections. It is nearly impossible to find a sensible number here, as the number of different clients is potentially unbounded.
Note that the requests a single page (take the one with most requests) is highly relevant to get to useful settings. E.g. if a page load of your front page generates 10 requests to your server, these will come in a very short time span, so your restrictions must have a higher threshold.
Update April 2015
Our service has been running for over a year with these settings, and we've been quite happy so far.