According to my Windows Application log files various IP adddresses are looking for vulnerabilisties (HttpRequestValidationException) in my website. The site is secure from injections, however the atempts seem to slow my website down. Is there anything I
can do to prevent this slowdown? I am attempting to block individual IP or IP ranges of known SPAM IP adresses, but that is tiresome since these criminals change IP addresses regularly. What else can i do to prevent the slow down of my website by these hack
attempts?
I apologize in advance for the long-winded nature of this response, but this is an issue that I have been trying to figure out myself and am sharing some of the insights that I have discovered in my own journey.
I have seen several hack attempts in my weblogs and my first thought was the same as your reaction: BLOCK THOSE IPS! There are two flaws with this approach. 1) Most of the ips you see are either spoofed, proxied, or anonymized in some way. 2) if you do happen
to block that user (although temporarily), you will probably only anger them and make yourself a bigger target.
I would do some further research about the potential slow downs you are seeing in your application. Are you sure that the attempts are tied to the slow downs? What do the requests look like that are slowing you down? Are they querystring attacks, attempted
injections, or some other attack.
Of course, make sure that your server is patched. Make sure that you are not displaying any vulnerabilities to your visitors (Can they see a yellow screen of death or is your web.config setup to hide those types of errors, do you display iis information
in your response headers? What unnecessary information are you giving them?)
Profile suspect requests to see what exactly is happening. Build a stack trace based off of your application logic and look for places where you could potentially plug security holes or increase performance by returning out of routines when an attempted
hack is identified. How you go about this will depend on your comfort level and familiarity with web security and .NET. Ask yourself these questions: Am I going to the database before I need to? Am I loading resources that are not needed to handle this request?
Do I have structure wrapped around my responses that utilize large amounts of resources (MasterPages, SiteMaps, etc.)? This could be a big one. If your custom 404 page is wrapped in a master page that loads menu items or other data from the database, that
information is being loaded for any failed/successful hack attempt.
Here is an example approach to dealing with this issue. Many of the hack attempts I see in the logs are looking to exploit known weaknesses or exposed files such as txt files containing configuration information or open cgi-bin exes. In my case, all of these
reqeusts have returned 404 errors since I do not have those files/packages/etc on my web server. I could follow this path to potentially trap or sandbox these requests:
On application_start in global.asax load a list of known bad urls or querystrings into cache for validation
On application_beginrequest check the request against the cached list of bad requests
If it is a bad request, build a response that I can return to the hacker (without upsetting the wasps' nest) such as a custom 404 page, etc. or redirect the user to a friendly Not Found page.
Log the bad request date time, etc
Depending on your specific configuration, this approach could increase performance or it could hinder it. I would love to see others' suggestions on how to deal with this issue.
"What I hear, I forget; What I see, I remember; What I do, I understand." --Confucius
Remeber to Mark as Answer if this post helped you.
PS - Here is a link to more information
about the application lifecycle if you want to go down the global.asax route.
Also, I forgot to mention that some hack attempts are automatically handled by either iis or the application. For example (I probably should verify this), extra long urls that could potentially give your app fits automatically return a 413 status code.
"What I hear, I forget; What I see, I remember; What I do, I understand." --Confucius
Remeber to Mark as Answer if this post helped you.
As the first responder mentioned above, you really need to identify what is happening when these requests are made. Are they attacking via querystrings? Are they making calls on long-running or resource-heavy routines? This will help identify how to cut
out the performance hits by their attempts. Also, you mentioned that they are throwing validation exceptions. This would suggest the attackers are messing with the http request headers. It may be worth implementing a careful way of logging the request headers
when request validation exceptions are thrown to see exactly what they are doing. Could save alot of time and unnecessary digging.
When the going get's tough, the tough outsource and take a vacation... lol I wish :(
The attempts are querystring attacks and attempted injections. They have not beeen successful. They are testing every "door" to see if one is unlocked.
Thanks, I will try this although my current problem doesn't seem to be a denial of service attack. Not really sure why the querystring injection attempts are slowing downs my webserver (I am not an Admin - just forced into the role).
You might be plugging in scripts that are not validated on post back. Otherwise, the NObot control can handle attacks that slow down sites, this way, you do not victimize genuine traffic.
"jquery does not support positioning of hidden fields"
First of all you will need to identify the root cause of the slowness of your website before concluding the solution. Check the usage of your site. Have you done performance tests on the site? It could be that increase in load that could be slowing down
the site. A round of load test will reveal potential performance bottlenecks.
Secondly, perform a web application security vulnerability audit/scan and ensure there are no "high/medium" alerts.
Hope this helps.
Please remember to click “Mark as Answer” on the post that helps you and to unmark it if a marked post does not actually answer your question.
Thank you!
----------------------
"Microsoft Community Contributor Award 2011"
markpringle
Member
86 Points
60 Posts
Slow down of my website by hack attempts...
Jun 25, 2012 03:04 AM|LINK
According to my Windows Application log files various IP adddresses are looking for vulnerabilisties (HttpRequestValidationException) in my website. The site is secure from injections, however the atempts seem to slow my website down. Is there anything I can do to prevent this slowdown? I am attempting to block individual IP or IP ranges of known SPAM IP adresses, but that is tiresome since these criminals change IP addresses regularly. What else can i do to prevent the slow down of my website by these hack attempts?
grundebar
Contributor
4515 Points
726 Posts
Re: Slow down of my website by hack attempts...
Jun 25, 2012 02:36 PM|LINK
I apologize in advance for the long-winded nature of this response, but this is an issue that I have been trying to figure out myself and am sharing some of the insights that I have discovered in my own journey.
I have seen several hack attempts in my weblogs and my first thought was the same as your reaction: BLOCK THOSE IPS! There are two flaws with this approach. 1) Most of the ips you see are either spoofed, proxied, or anonymized in some way. 2) if you do happen to block that user (although temporarily), you will probably only anger them and make yourself a bigger target.
I would do some further research about the potential slow downs you are seeing in your application. Are you sure that the attempts are tied to the slow downs? What do the requests look like that are slowing you down? Are they querystring attacks, attempted injections, or some other attack.
Of course, make sure that your server is patched. Make sure that you are not displaying any vulnerabilities to your visitors (Can they see a yellow screen of death or is your web.config setup to hide those types of errors, do you display iis information in your response headers? What unnecessary information are you giving them?)
Profile suspect requests to see what exactly is happening. Build a stack trace based off of your application logic and look for places where you could potentially plug security holes or increase performance by returning out of routines when an attempted hack is identified. How you go about this will depend on your comfort level and familiarity with web security and .NET. Ask yourself these questions: Am I going to the database before I need to? Am I loading resources that are not needed to handle this request? Do I have structure wrapped around my responses that utilize large amounts of resources (MasterPages, SiteMaps, etc.)? This could be a big one. If your custom 404 page is wrapped in a master page that loads menu items or other data from the database, that information is being loaded for any failed/successful hack attempt.
Here is an example approach to dealing with this issue. Many of the hack attempts I see in the logs are looking to exploit known weaknesses or exposed files such as txt files containing configuration information or open cgi-bin exes. In my case, all of these reqeusts have returned 404 errors since I do not have those files/packages/etc on my web server. I could follow this path to potentially trap or sandbox these requests:
Depending on your specific configuration, this approach could increase performance or it could hinder it. I would love to see others' suggestions on how to deal with this issue.
Remeber to Mark as Answer if this post helped you.
grundebar
Contributor
4515 Points
726 Posts
Re: Slow down of my website by hack attempts...
Jun 25, 2012 04:12 PM|LINK
PS - Here is a link to more information about the application lifecycle if you want to go down the global.asax route.
Also, I forgot to mention that some hack attempts are automatically handled by either iis or the application. For example (I probably should verify this), extra long urls that could potentially give your app fits automatically return a 413 status code.
Remeber to Mark as Answer if this post helped you.
jprochazka
Contributor
4992 Points
748 Posts
Re: Slow down of my website by hack attempts...
Jun 25, 2012 04:38 PM|LINK
If you are running IIS 7 you can look into Dynamic IP Restrictions.
http://www.iis.net/download/DynamicIPRestrictions
Might help slow down the bad requests a bit.
magicmike201...
Contributor
2021 Points
481 Posts
Re: Slow down of my website by hack attempts...
Jun 25, 2012 05:05 PM|LINK
As the first responder mentioned above, you really need to identify what is happening when these requests are made. Are they attacking via querystrings? Are they making calls on long-running or resource-heavy routines? This will help identify how to cut out the performance hits by their attempts. Also, you mentioned that they are throwing validation exceptions. This would suggest the attackers are messing with the http request headers. It may be worth implementing a careful way of logging the request headers when request validation exceptions are thrown to see exactly what they are doing. Could save alot of time and unnecessary digging.
markpringle
Member
86 Points
60 Posts
Re: Slow down of my website by hack attempts...
Jun 26, 2012 12:17 PM|LINK
The attempts are querystring attacks and attempted injections. They have not beeen successful. They are testing every "door" to see if one is unlocked.
markpringle
Member
86 Points
60 Posts
Re: Slow down of my website by hack attempts...
Jun 26, 2012 12:24 PM|LINK
Thanks, I will try this although my current problem doesn't seem to be a denial of service attack. Not really sure why the querystring injection attempts are slowing downs my webserver (I am not an Admin - just forced into the role).
aosanya
Member
4 Points
4 Posts
Re: Slow down of my website by hack attempts...
Jun 30, 2012 11:54 AM|LINK
santa_1975
Star
8574 Points
1499 Posts
Re: Slow down of my website by hack attempts...
Jul 06, 2012 02:51 AM|LINK
First of all you will need to identify the root cause of the slowness of your website before concluding the solution. Check the usage of your site. Have you done performance tests on the site? It could be that increase in load that could be slowing down the site. A round of load test will reveal potential performance bottlenecks.
Secondly, perform a web application security vulnerability audit/scan and ensure there are no "high/medium" alerts.
Hope this helps.
Thank you!
----------------------
"Microsoft Community Contributor Award 2011"