| Groups | Blog | Home |
iis ftp : Preventing multiple downloads
same huge file, or several huge files, at the same time. I would like to restrict the number of times a single user can log in via FTP (to prevent users from monopolizing the bandwidth) without necessarily restricting the overall number of users. How would I do this with IIS? I have IIS 6.0, Windows Server 2003 (Enterprise). _______________________________________________________________________________ Posted Via Uncensored-News.Com - Accounts Starting At $6.95 - http://www.uncensored-news.com <><><><><><><> The Worlds Uncensored News Source <><><><><><><><>
You are referring openning multiple connections to download rather than
multiple login from the same user. Unfortunely, this is features is not available in IIS FTP. -- Regards, Bernard Cheah http://www.tryiis.com/ http://support.microsoft.com/ http://www.msmvps.com/bernard/ [quoted text, click to view] "Jeffrey Hayes" <tvdog@sbcglobal.net> wrote in message ____________________________________________________________________________news:9husk09aj0b0rb0530d6onjrqkncsf2t9p@4ax.com... > I have a problem with users initiating multiple FTP downloads of the > same huge file, or several huge files, at the same time. I would like > to restrict the number of times a single user can log in via FTP (to > prevent users from monopolizing the bandwidth) without necessarily > restricting the overall number of users. > > How would I do this with IIS? I have IIS 6.0, Windows Server 2003 > (Enterprise). > > > ___ [quoted text, click to view] > Posted Via Uncensored-News.Com - Accounts Starting At $6.95 - http://www.uncensored-news.com > <><><><><><><> The Worlds Uncensored News Source <><><><><><><><> >
[quoted text, click to view]
"Jeffrey Hayes" <tvdog@sbcglobal.net> wrote in message news:m371l0hqeqgcnmh4cl5jpk4al6upkmrgnh@4ax.com... > Thanks for your reply. Maybe it would be good, though, if Microsoft > added some security to IIS. I had a guy who ran a script to connect 5 > times every 15 seconds and open a new connection to download the same > file. Should be a way to stop that automatically (I added an entry to > ban his entire ISP in IIS). There's always a behaviour that people think "should be stopped". Scratching yourself in public, saying naughty words, connecting multiple times to download files. Sadly, the solutions are rarely better than the problems they present, and here's why: You are using anonymous access(*). What you're saying there is that you are opening up your server to downloads to anyone and everyone that can find your server. In essence, that's the problem - you can't block the user without finding a way to identify the user. What can you use to identify the user? You can't use his name, because he'll fake that. Can you use his IP address? Well, sure, except that also blocks legitimate accesses by users of time-sharing operating systems, or corporate users behind proxies (me, for instance, sitting here behind a Microsoft proxy) or NATs. But, perhaps you have an idea that we haven't considered - how would _you_ go about automatically stopping such errant behaviour? Bear in mind that the idea you come up with would have to be widely implemented, and so couldn't have any nasty repercussions. Alun. ~~~~ (*) How do I know this? Simple - if you'd given this user a user name and password, you would have been able to stop him simply by revoking his account or changing his password.
On Mon, 20 Sep 2004 14:59:43 +0800, "Bernard"
[quoted text, click to view] <qbernard@hotmail.com.discuss> wrote: >You are referring openning multiple connections to download rather than >multiple login from the same user. Unfortunely, this is features is not >available in IIS FTP. Thanks for your reply. Maybe it would be good, though, if Microsoft added some security to IIS. I had a guy who ran a script to connect 5 times every 15 seconds and open a new connection to download the same file. Should be a way to stop that automatically (I added an entry to ban his entire ISP in IIS). Meanwhile, I think I will try Filezilla instead and see if that does it. _______________________________________________________________________________ Posted Via Uncensored-News.Com - Accounts Starting At $6.95 - http://www.uncensored-news.com <><><><><><><> The Worlds Uncensored News Source <><><><><><><><>
On Tue, 21 Sep 2004 14:38:43 -0700, "Alun Jones [MSFT]"
[quoted text, click to view] <alunj@online.microsoft.com> wrote: >"Jeffrey Hayes" <tvdog@sbcglobal.net> wrote in message >news:m371l0hqeqgcnmh4cl5jpk4al6upkmrgnh@4ax.com... >> Thanks for your reply. Maybe it would be good, though, if Microsoft >> added some security to IIS. I had a guy who ran a script to connect 5 >> times every 15 seconds and open a new connection to download the same >> file. Should be a way to stop that automatically (I added an entry to >> ban his entire ISP in IIS). > >There's always a behaviour that people think "should be stopped". >Scratching yourself in public, saying naughty words, connecting multiple >times to download files. Damn! [ Scratching crotch area ] I'm only able to make five connections! :) Worse than denying connections from multiple systems behind the same proxy would be queing them up. Could write a heck of a DOS attack with that configuration.
[quoted text, click to view]
"Jeffrey Hayes" <tvdog@sbcglobal.net> wrote in message news:vsk3l05cirl7u6ltfroadh7usihh8pl7d4@4ax.com... > Well, trying other servers, there seem to be two options. (1) If a > user logs in m times within n seconds, then ban him for p minutes. Or How would that work for anonymous use? Surely you're expecting large numbers of accesses from that user. [quoted text, click to view] > (2) limit the number of connections from a given user to q. In both > cases, an anonymous user is identified by his IP address, as you said. There's no guarantee that IP address and user are exchangeable commodities. [What of the user that has more than one IP address at his/her disposal?] [quoted text, click to view] > People with proxies should have caching proxies. Stopping DoS attacks > is more important (to me) than people from large companies sometimes > getting blocked, and for 99.9% of small sites, this will never be an > issue because the traffic will never be that high - unless there is an > attack underway. What you're looking for is a specific fix that takes into account your assumptions; what we're looking for is the ability to create a general-purpose FTP server. Unfortunately, at the moment, I can't predict what the future intersection of those two goals will be; for right now, though, it looks like you're doing all that you can. Perhaps you'd find a market for writing a third-party tool that analyses log files for such obstreperous behaviour, and adds the banning for you? Alun. ~~~~
On Tue, 21 Sep 2004 14:38:43 -0700, "Alun Jones [MSFT]"
[quoted text, click to view] <alunj@online.microsoft.com> wrote: >"Jeffrey Hayes" <tvdog@sbcglobal.net> wrote in message >news:m371l0hqeqgcnmh4cl5jpk4al6upkmrgnh@4ax.com... >> Thanks for your reply. Maybe it would be good, though, if Microsoft >> added some security to IIS. I had a guy who ran a script to connect 5 >> times every 15 seconds and open a new connection to download the same >> file. Should be a way to stop that automatically (I added an entry to >> ban his entire ISP in IIS). > [...] >But, perhaps you have an idea that we haven't considered - how would _you_ >go about automatically stopping such errant behaviour? Bear in mind that >the idea you come up with would have to be widely implemented, and so >couldn't have any nasty repercussions. Well, trying other servers, there seem to be two options. (1) If a user logs in m times within n seconds, then ban him for p minutes. Or (2) limit the number of connections from a given user to q. In both cases, an anonymous user is identified by his IP address, as you said. People with proxies should have caching proxies. Stopping DoS attacks is more important (to me) than people from large companies sometimes getting blocked, and for 99.9% of small sites, this will never be an issue because the traffic will never be that high - unless there is an attack underway. _______________________________________________________________________________ Posted Via Uncensored-News.Com - Accounts Starting At $6.95 - http://www.uncensored-news.com <><><><><><><> The Worlds Uncensored News Source <><><><><><><><>
On 22 Sep 2004 19:46:09 GMT, Jeffrey Hayes <tvdog@sbcglobal.net>
[quoted text, click to view] wrote: >On Tue, 21 Sep 2004 14:38:43 -0700, "Alun Jones [MSFT]" ><alunj@online.microsoft.com> wrote: > >>"Jeffrey Hayes" <tvdog@sbcglobal.net> wrote in message >>news:m371l0hqeqgcnmh4cl5jpk4al6upkmrgnh@4ax.com... >>> Thanks for your reply. Maybe it would be good, though, if Microsoft >>> added some security to IIS. I had a guy who ran a script to connect 5 >>> times every 15 seconds and open a new connection to download the same >>> file. Should be a way to stop that automatically (I added an entry to >>> ban his entire ISP in IIS). >> >[...] >>But, perhaps you have an idea that we haven't considered - how would _you_ >>go about automatically stopping such errant behaviour? Bear in mind that >>the idea you come up with would have to be widely implemented, and so >>couldn't have any nasty repercussions. > >Well, trying other servers, there seem to be two options. (1) If a >user logs in m times within n seconds, then ban him for p minutes. Or >(2) limit the number of connections from a given user to q. In both >cases, an anonymous user is identified by his IP address, as you said. > >People with proxies should have caching proxies. Stopping DoS attacks >is more important (to me) than people from large companies sometimes >getting blocked, and for 99.9% of small sites, this will never be an >issue because the traffic will never be that high - unless there is an >attack underway. So what you want is an FTP server written for the needs of operators like you, running small sites with no traffic? What about the rest of Microsoft's customers? If you don't like the product, try an alternative. Or write your own, get hired by Microsoft and change their ways. :)
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |