Last post May 31, 2011 06:45 PM by Mainship
Nov 19, 2010 03:43 PM|Mainship|LINK
I'm not sure if this is the correct place for this question. I have the website set up to email me whenever a page not found error occurs. Yesterday I got over 6 thousand page not found emails. The bulk looked like someone was trying to test ways of getting
in for every ecommerce package I've ever heard of and many more that I haven't. It looked like someone was trying every vulnerability they could think of. I had to turn the email notification off.
Every 404 error uses resources, and we're not too thrilled with the idea that someone may someday find some way in. Is there something I can do about this? Is it possible to set the site up for example so that any given IP address is blocked for a second
or two after triggering a 404 error? We're getting way too many for someone to be typing these in.
How is something like this normally handled?
Nov 19, 2010 04:13 PMfirstname.lastname@example.org|LINK
Does the website require a logon?
Nov 19, 2010 07:00 PM|Mainship|LINK
Only the administration sections.
Nov 20, 2010 02:12 AMemail@example.com|LINK
Ok i was checking the internet because i'm interested in this issue as well.
found this link.
Maybe not that helpfull but the remark could be of little help.
As per Scott Gu’s recommendation, I’ve added a random <500ms delay to the processing of all
errors to help muddy the waters and added support for the
ResponseRewrite property on the CustomErrors
If i find more i will post it.
Jan 29, 2011 04:24 PM|kkarasinski|LINK
can you tell if its the same ip for all the requests? If so you can ban the ip. Allso if its an ecom site have you done a pci scan?
Mar 09, 2011 04:08 PM|nehaavishwaa|LINK
Try to track the IP from where these requests are coming. If it is from the same IP everytime then someone might be trying to run some scripts on your website for Disctionary attack...you can either use captcha in your login page,
block the IP from your firewall. Turn the notification ON and see if the same does not happen again.
Hope this help
Please mark as answer if this solves your problem
Apr 18, 2011 11:43 PM|Shakti Singh Tanwar|LINK
Create a custom error page and map that with error code 404 in web.config ( CustomErrors section)
In Custom error page load just add IP address of request to Application object along with time of access.
In global.asax Application_BeginRequest method check of IP address is in Application object and time of last access and depending on that either allow access of disallow.
Apr 27, 2011 09:29 AM|Matt3.5|LINK
It doesn't sound like you actually have much to worry about here.
What sort of error logging are you using? As a general rule it is a good idea to differentiate between server errors (code 500) and page/resource not found errors (404/403s) with your error logging anyway.
You can usually always setup a filter or rule with your chosen error logging method to stop it logging 404s. I typically use either Health Monitoring or Elmah and this is easy to achieve with both of these logging providers. There is no real value to your
developers from seeing every page not found as these days, bots roam all over the place automatically trying to submit phishing to web forms, access logins etc. If you have this many attempts on your site, it was likely a targeted bot rather than a person.
If we did not filter 404s we would get thousands of errors logged every minute as I work on a very busy site, there is just no point in logging them.
My advice would be to ensure that:
A. You have custom errors switched On and ensure a none-detailed custom error page is shown for server errors.
B. Ensure that ResponseWrite is used by the aspnet error handler
C. Ensure any ajax based communications also generate generic errors rather than detailed ones.
D. Your chosen error logging provider filters/does not log 404s - but still logs all other errors.
Blocking IP addresses is pretty futile as large scale botnets that go out to automatically test the vunerability of sites will have vast numbers of IP addresses, updating all the time. You need to accept that automated attacks are now a fact of life and
just ensure that your site is as secure as possible. Having Custom Errors enabled mitigates many attacks as no useful information can be gleaned by the attacker. The purpose of bots is usually for them to report back on sites where more detailed error information
has been found and a human attacker may then look into a more detailed attack. If you have custom errors, at the minimum, the vast majority of hackers won't even bother taking a second look, as they need error message detail (which might contain SQL table
names for example) in order to make the attack more sophisticated.
May 09, 2011 07:35 AM|interwanderer1|LINK
I would consider to deal with this on the level of IIS and firewall.
Trying to solve this programmatically on ASP.net will require more resources than using a system that is build in to windows. Really shouldn't do that.
I would imagine that the attackers are using several ip adresses....
May 31, 2011 03:26 AM|tftr_si|LINK
One thing I've noticed when developing MVC is that if you have say an image reference in a css file or something along those lines where the path is incorrect or the file mistakenly isn't uploaded, you will get 404 hits for these even though the page has
In my case, I had an image path in one of my css files which wasn't in use so the image didn't exist. That CSS file was loaded on each page so in effect I got a 404 error on every page.
May 31, 2011 06:45 PM|Mainship|LINK
Wow. I'll have to keep that in mind. It wouldn't be hard for something like that to cause problems. Thank you.