web2000:
I thought there might be anything built in as it is one of the classic attacks and IIS7 (Due to its maturity) must have built in capability to safeguard it. There is no need to keep adding module just for every small thing. Too many modules affect the performance. It must be configurable at kernal level so that preventive measures can be taken before the request reaches the application.
I disagree that this should be built in. Most sites/datacenters will control (D)DOS attacks via hardware not software. Firewalls, routers, load balancers, etc. It is not effeicent or deesirable to have this at the application level of IIS. I don't want bloat like this slowing down IIS.
Also DDOS preventation is a complex setup with even deadicated hardware boxes just to deal with it with different rules and analysis for them that take a lot of processing power.
Look at your web enviornment infrastucuture and see the setup and see what your hardware provides as protection and if it is a problem look at dedicated hardware solutions. You should block DDOS attacks as soon as possible in the chain, not at the end at the webserver level.