Jump to content

Block IPs in Windows 2003


peace

Recommended Posts

Hello.

 

In case there's a lot of UDP attacks on our client's servers lately, so we have to block IPs in Windows 2003. Do you guys have any experience in that question? I'm not asking you step by step guide (but i don't mind :)). As I know there are two ways to block IPs on WS 2003: IPSec and Policies. Any useful information would be great.

 

Thank you.

Link to comment
Share on other sites

You can use a batch file to create the IPSec policy filter and rule :

 

REM Add policy

netsh ipsec static add policy name="Antihack" description="Protection antihacking" activatedefaultrule=yes assign=no


REM Add filter actions

netsh ipsec static add filteraction name="block" description="block traffic" action=block


REM Add filter

netsh ipsec static add filter filterlist="block Ips" srcaddr=Me dstaddr=any description="sniff tools" protocol=TCP mirrored=no srcport=0 dstport=8401


REM Add rule

netsh ipsec static add rule name="block Ips" policy="Antihack" filterlist="block sniffers" filteraction="block" activate=yes kerberos=no

 

 

Then assuming you have followed the above model you can then block the IPs in command line :

 

netsh ipsec static add filter filterlist="block IPs" srcaddr=123.123.123.123 dstaddr=Me description="Offender" protocol=any mirrored=yes srcport=0 dstport=0

 

Or if you got multiple Ip's to block use a batch file :

 

netsh ipsec static add filter filterlist="block IPs" srcaddr=123.123.123.123 dstaddr=Me description="Offender" protocol=any mirrored=yes srcport=0 dstport=0
netsh ipsec static add filter filterlist="block IPs" srcaddr=123.123.123.123 dstaddr=Me description="Offender" protocol=any mirrored=yes srcport=0 dstport=0
netsh ipsec static add filter filterlist="block IPs" srcaddr=123.123.123.123 dstaddr=Me description="Offender" protocol=any mirrored=yes srcport=0 dstport=0
netsh ipsec static add filter filterlist="block IPs" srcaddr=123.123.123.123 dstaddr=Me description="Offender" protocol=any mirrored=yes srcport=0 dstport=0

Link to comment
Share on other sites

All works fine, thanks.

 

I try to detect DDOS or UDP Flood attackers IPs. I installed Microsoft Network Monitor 3.4 but it seems too complicated. Is there any easiest way to detect attackers IPs?

 

I can see UDP Flood but cant find out what IP to block.

 

Thanks.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Who's Online   0 Members, 0 Anonymous, 11 Guests (See full list)

    • There are no registered users currently online
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Terms of Use