I'm not sure if this is the correct place for this question. I have the website set up to email me whenever a page not found error occurs. Yesterday I got over 6 thousand page not found emails. The bulk looked like someone was trying to test ways of getting
in for every ecommerce package I've ever heard of and many more that I haven't. It looked like someone was trying every vulnerability they could think of. I had to turn the email notification off.
Every 404 error uses resources, and we're not too thrilled with the idea that someone may someday find some way in. Is there something I can do about this? Is it possible to set the site up for example so that any given IP address is blocked for a second
or two after triggering a 404 error? We're getting way too many for someone to be typing these in.
Try to track the IP from where these requests are coming. If it is from the same IP everytime then someone might be trying to run some scripts on your website for Disctionary attack...you can either use captcha in your login page,
block the IP from your firewall. Turn the notification ON and see if the same does not happen again.
Create a custom error page and map that with error code 404 in web.config ( CustomErrors section)
In Custom error page load just add IP address of request to Application object along with time of access.
In global.asax Application_BeginRequest method check of IP address is in Application object and time of last access and depending on that either allow access of disallow.
~ Remember To Mark The Post(s) That Helped You As The ANSWER ~
Shakti Singh Tanwar
.Net Trainer (MCP,MCAD.net,MCSD.net,MCTS,MCPD.net[web])
It doesn't sound like you actually have much to worry about here.
What sort of error logging are you using? As a general rule it is a good idea to differentiate between server errors (code 500) and page/resource not found errors (404/403s) with your error logging anyway.
You can usually always setup a filter or rule with your chosen error logging method to stop it logging 404s. I typically use either Health Monitoring or Elmah and this is easy to achieve with both of these logging providers. There is no real value to your
developers from seeing every page not found as these days, bots roam all over the place automatically trying to submit phishing to web forms, access logins etc. If you have this many attempts on your site, it was likely a targeted bot rather than a person.
If we did not filter 404s we would get thousands of errors logged every minute as I work on a very busy site, there is just no point in logging them.
My advice would be to ensure that:
A. You have custom errors switched On and ensure a none-detailed custom error page is shown for server errors.
B. Ensure that ResponseWrite is used by the aspnet error handler
C. Ensure any ajax based communications also generate generic errors rather than detailed ones.
D. Your chosen error logging provider filters/does not log 404s - but still logs all other errors.
Blocking IP addresses is pretty futile as large scale botnets that go out to automatically test the vunerability of sites will have vast numbers of IP addresses, updating all the time. You need to accept that automated attacks are now a fact of life and
just ensure that your site is as secure as possible. Having Custom Errors enabled mitigates many attacks as no useful information can be gleaned by the attacker. The purpose of bots is usually for them to report back on sites where more detailed error information
has been found and a human attacker may then look into a more detailed attack. If you have custom errors, at the minimum, the vast majority of hackers won't even bother taking a second look, as they need error message detail (which might contain SQL table
names for example) in order to make the attack more sophisticated.
I would consider to deal with this on the level of IIS and firewall.
Trying to solve this programmatically on ASP.net will require more resources than using a system that is build in to windows. Really shouldn't do that.
I would imagine that the attackers are using several ip adresses....
One thing I've noticed when developing MVC is that if you have say an image reference in a css file or something along those lines where the path is incorrect or the file mistakenly isn't uploaded, you will get 404 hits for these even though the page has
loaded.
In my case, I had an image path in one of my css files which wasn't in use so the image didn't exist. That CSS file was loaded on each page so in effect I got a 404 error on every page.
Mainship
Participant
864 Points
2037 Posts
Question on an attack we're getting
Nov 19, 2010 07:43 PM|LINK
I'm not sure if this is the correct place for this question. I have the website set up to email me whenever a page not found error occurs. Yesterday I got over 6 thousand page not found emails. The bulk looked like someone was trying to test ways of getting in for every ecommerce package I've ever heard of and many more that I haven't. It looked like someone was trying every vulnerability they could think of. I had to turn the email notification off.
Every 404 error uses resources, and we're not too thrilled with the idea that someone may someday find some way in. Is there something I can do about this? Is it possible to set the site up for example so that any given IP address is blocked for a second or two after triggering a 404 error? We're getting way too many for someone to be typing these in.
How is something like this normally handled?
fdepijper@zi...
Participant
1246 Points
309 Posts
Re: Question on an attack we're getting
Nov 19, 2010 08:13 PM|LINK
Does the website require a logon?
Mainship
Participant
864 Points
2037 Posts
Re: Question on an attack we're getting
Nov 19, 2010 11:00 PM|LINK
Only the administration sections.
fdepijper@zi...
Participant
1246 Points
309 Posts
Re: Question on an attack we're getting
Nov 20, 2010 06:12 AM|LINK
Ok i was checking the internet because i'm interested in this issue as well.
found this link.
http://www.codeproject.com/Articles/111343/Security-Protect-against-POET-Attacks-with-Custom-.aspx
Maybe not that helpfull but the remark could be of little help.
As per Scott Gu’s recommendation, I’ve added a random <500ms delay to the processing of all errors to help muddy the waters and added support for the
property on theCustomErrorselement.If i find more i will post it.
kkarasinski
Member
495 Points
95 Posts
Re: Question on an attack we're getting
Jan 29, 2011 08:24 PM|LINK
can you tell if its the same ip for all the requests? If so you can ban the ip. Allso if its an ecom site have you done a pci scan?
nehaavishwaa
Participant
960 Points
209 Posts
Re: Question on an attack we're getting
Mar 09, 2011 08:08 PM|LINK
Try to track the IP from where these requests are coming. If it is from the same IP everytime then someone might be trying to run some scripts on your website for Disctionary attack...you can either use captcha in your login page, block the IP from your firewall. Turn the notification ON and see if the same does not happen again.
Hope this help
Please mark as answer if this solves your problem
DevTechie.com
Shakti Singh...
Star
10870 Points
1827 Posts
Re: Question on an attack we're getting
Apr 19, 2011 03:43 AM|LINK
Create a custom error page and map that with error code 404 in web.config ( CustomErrors section)
In Custom error page load just add IP address of request to Application object along with time of access.
In global.asax Application_BeginRequest method check of IP address is in Application object and time of last access and depending on that either allow access of disallow.
Shakti Singh Tanwar
.Net Trainer (MCP,MCAD.net,MCSD.net,MCTS,MCPD.net[web])
Matt3.5
Member
333 Points
92 Posts
Re: Question on an attack we're getting
Apr 27, 2011 01:29 PM|LINK
Hi Mainship,
It doesn't sound like you actually have much to worry about here.
What sort of error logging are you using? As a general rule it is a good idea to differentiate between server errors (code 500) and page/resource not found errors (404/403s) with your error logging anyway.
You can usually always setup a filter or rule with your chosen error logging method to stop it logging 404s. I typically use either Health Monitoring or Elmah and this is easy to achieve with both of these logging providers. There is no real value to your developers from seeing every page not found as these days, bots roam all over the place automatically trying to submit phishing to web forms, access logins etc. If you have this many attempts on your site, it was likely a targeted bot rather than a person. If we did not filter 404s we would get thousands of errors logged every minute as I work on a very busy site, there is just no point in logging them.
My advice would be to ensure that:
A. You have custom errors switched On and ensure a none-detailed custom error page is shown for server errors.
B. Ensure that ResponseWrite is used by the aspnet error handler
C. Ensure any ajax based communications also generate generic errors rather than detailed ones.
D. Your chosen error logging provider filters/does not log 404s - but still logs all other errors.
Blocking IP addresses is pretty futile as large scale botnets that go out to automatically test the vunerability of sites will have vast numbers of IP addresses, updating all the time. You need to accept that automated attacks are now a fact of life and just ensure that your site is as secure as possible. Having Custom Errors enabled mitigates many attacks as no useful information can be gleaned by the attacker. The purpose of bots is usually for them to report back on sites where more detailed error information has been found and a human attacker may then look into a more detailed attack. If you have custom errors, at the minimum, the vast majority of hackers won't even bother taking a second look, as they need error message detail (which might contain SQL table names for example) in order to make the attack more sophisticated.
Matt
interwandere...
Contributor
2693 Points
542 Posts
Re: Question on an attack we're getting
May 09, 2011 11:35 AM|LINK
I would consider to deal with this on the level of IIS and firewall.
Trying to solve this programmatically on ASP.net will require more resources than using a system that is build in to windows. Really shouldn't do that.
I would imagine that the attackers are using several ip adresses....
.one of my (older) projects social tomorrow and
tftr_si
Member
713 Points
216 Posts
Re: Question on an attack we're getting
May 31, 2011 07:26 AM|LINK
One thing I've noticed when developing MVC is that if you have say an image reference in a css file or something along those lines where the path is incorrect or the file mistakenly isn't uploaded, you will get 404 hits for these even though the page has loaded.
In my case, I had an image path in one of my css files which wasn't in use so the image didn't exist. That CSS file was loaded on each page so in effect I got a 404 error on every page.