A site I maintain for a client gets thousands of attacks per day... sometimes hundreds every minute.
Yes, it's hard and impossible to block each and every IP attack (and will be lots of work too).
So I'm real strict on checking the QueryString, because almost all XSS attacks are done via this vector. On each page, I checked the contents of the querystring and if certain keywords are present, I assume the request is an attack and drop the connection.
For example: the following strings should never appear in the querystring of any valid request! They're favorites of hackers, SQL injectors, etc.
Here's a typical kind of attack (just got this a few minutes ago). I wrote a script to email me when suspicious attacks are happening, so I can see what they're doing. It also gives me the chance to block these hackers' IP address if they're really persistent.
Time: hh:mm:ss IP Address: 109.163.234.13 <------ yup, actual address of that hacker/script kiddie Server Name: www.*********.**
I usually recommend developers to check out the Web Developer Checklist (which is great for all types of methods of improving your site and application) but in particular the Security section. There
is never any "single" thing that you can do to help keep your site / server protected, but rather a series of steps that you can take to make things more difficult for any malicious activity to go on.
Under there you will find several links and topics such as the following that will help you make your site more secure and help avoid some of the issues that you are mentioning :
ASafaWeb ASP.NET Security Analyzer- This tool will automatically analyze and notify you of any major security flaws that may exist within your site online.
Microsoft Code Analysis Tool- You can run this tool to help analyze your code and determine areas that may be at risk for things like Cross-Site Scripting
Attacks (XSS), SQL Injection and XPath Injections.
Many other tools specifically for helping prevent XSS attacks, SSL Information and Analysis and a few other areas.
For some additional information on Web Security in general, you may want to check out the Open Web Applications Security Project (OWASP) which is a great resource that contains basically everything
you would want to know with regards to security.
Member
1 Points
9 Posts
constant malicious attacks on website
May 19, 2014 07:53 AM|zodiac00|LINK
Hi All,
I have a web application that is constantly being attacked with malicious web requests..... mainly xss scripts.
I already have ASP.Net's default page level validations implemented with exceptions being thrown by default.
Is this safe enough or should i consider looking at additional validation efforts ?
thanks
Participant
1061 Points
318 Posts
Re: constant malicious attacks on website
May 19, 2014 08:04 AM|Dharmesh.Kotadiya|LINK
You need to block this request. using request IP address.
in Global.ascx at this event Application_BeginRequest
Dharmesh M. Kotadiya,
Mark as answer if my anwers helps you
Member
1 Points
9 Posts
Re: constant malicious attacks on website
May 19, 2014 08:32 AM|zodiac00|LINK
Yes i do block the suspicious IPs but obviosuly only after the attack has happened.
i need the app to be more proactive.
I also block in IIS
Participant
958 Points
443 Posts
Re: constant malicious attacks on website
May 19, 2014 03:54 PM|CASPartan|LINK
A site I maintain for a client gets thousands of attacks per day... sometimes hundreds every minute.
Yes, it's hard and impossible to block each and every IP attack (and will be lots of work too).
So I'm real strict on checking the QueryString, because almost all XSS attacks are done via this vector. On each page, I checked the contents of the querystring and if certain keywords are present, I assume the request is an attack and drop the connection.
For example: the following strings should never appear in the querystring of any valid request! They're favorites of hackers, SQL injectors, etc.
CAST(
IFRAME
<SCRIPT
UPDATE
SELECT%20
CONCAT
SCHEMA
NULL
VARCHAR
DECLARE
CONVERT
-1
Here's a typical kind of attack (just got this a few minutes ago). I wrote a script to email me when suspicious attacks are happening, so I can see what they're doing. It also gives me the chance to block these hackers' IP address if they're really persistent.
Time: hh:mm:ss
IP Address: 109.163.234.13 <------ yup, actual address of that hacker/script kiddie
Server Name: www.*********.**
Querystring:
ID=4603%2F%2A%2A%2FAND%2F%2A%2A%2F2216%2F%2A%2A%2FLIKE%2F%2A%2A%2FCONVERT%28INT%2C%28SELECT%2F%2A%2A%2FCHAR%28113%29%2BCHAR%28104%29%2BCHAR%28109%29%2BCHAR%28117%29%2BCHAR%28113%29%2B%28SELECT%2F%2A%2A%2F%28CASE%2F%2A%2A%2FWHEN%2F%2A%2A%2F%282216%2F%2A%2A%2FLIKE%2F%2A%2A%2F2216%29%2F%2A%2A%2FTHEN%2F%2A%2A%2FCHAR%2849%29%2F%2A%2A%2FELSE%2F%2A%2A%2FCHAR%2848%29%2F%2A%2A%2FEND%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28118%29%2BCHAR%28120%29%2BCHAR%28113%29%29%29--%2F%2A%2A%2FLEZR
... and the other usual practices, i.e. if you're expecting a numeric ID, then accept only if its numeric, etc.
All-Star
114593 Points
18503 Posts
MVP
Re: constant malicious attacks on website
May 19, 2014 05:16 PM|Rion Williams|LINK
I usually recommend developers to check out the Web Developer Checklist (which is great for all types of methods of improving your site and application) but in particular the Security section. There is never any "single" thing that you can do to help keep your site / server protected, but rather a series of steps that you can take to make things more difficult for any malicious activity to go on.
Under there you will find several links and topics such as the following that will help you make your site more secure and help avoid some of the issues that you are mentioning :
For some additional information on Web Security in general, you may want to check out the Open Web Applications Security Project (OWASP) which is a great resource that contains basically everything you would want to know with regards to security.