locked
Slow down of my website by hack attempts... RRS feed

  • Question

  • User-1260039965 posted

    According to my Windows Application log files various IP adddresses are looking for vulnerabilisties (HttpRequestValidationException) in my website. The site is secure from injections, however the atempts seem to slow my website down. Is there anything I can do to prevent this slowdown? I am attempting to block individual IP or IP ranges of known SPAM IP adresses, but that is tiresome since these criminals change IP addresses regularly. What else can i do to prevent the slow down of my website by these hack attempts?

    Sunday, June 24, 2012 11:04 PM

Answers

  • User384031199 posted

    however the atempts seem to slow my website down

    First of all you will need to identify the root cause of the slowness of your website before concluding the solution. Check the usage of your site. Have you done performance tests on the site? It could be that increase in load that could be slowing down the site. A round of load test will reveal potential performance bottlenecks.

    Secondly, perform a web application security vulnerability audit/scan and ensure there are no "high/medium" alerts.

    Hope this helps.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 5, 2012 10:51 PM

All replies

  • User1020195037 posted

    I apologize in advance for the long-winded nature of this response, but this is an issue that I have been trying to figure out myself and am sharing some of the insights that I have discovered in my own journey.

    I have seen several hack attempts in my weblogs and my first thought was the same as your reaction: BLOCK THOSE IPS! There are two flaws with this approach. 1) Most of the ips you see are either spoofed, proxied, or anonymized in some way. 2) if you do happen to block that user (although temporarily), you will probably only anger them and make yourself a bigger target.

    I would do some further research about the potential slow downs you are seeing in your application. Are you sure that the attempts are tied to the slow downs? What do the requests look like that are slowing you down? Are they querystring attacks, attempted injections, or some other attack.

    Of course, make sure that your server is patched. Make sure that you are not displaying any vulnerabilities to your visitors (Can they see a yellow screen of death or is your web.config setup to hide those types of errors, do you display iis information in your response headers? What unnecessary information are you giving them?)

    Profile suspect requests to see what exactly is happening. Build a stack trace based off of your application logic and look for places where you could potentially plug security holes or increase performance by returning out of routines when an attempted hack is identified. How you go about this will depend on your comfort level and familiarity with web security and .NET. Ask yourself these questions: Am I going to the database before I need to? Am I loading resources that are not needed to handle this request? Do I have structure wrapped around my responses that utilize large amounts of resources (MasterPages, SiteMaps, etc.)? This could be a big one. If your custom 404 page is wrapped in a master page that loads menu items or other data from the database, that information is being loaded for any failed/successful hack attempt.

    Here is an example approach to dealing with this issue. Many of the hack attempts I see in the logs are looking to exploit known weaknesses or exposed files such as txt files containing configuration information or open cgi-bin exes. In my case, all of these reqeusts have returned 404 errors since I do not have those files/packages/etc on my web server. I could follow this path to potentially trap or sandbox these requests:

    • On application_start in global.asax load a list of known bad urls or querystrings into cache for validation
    • On application_beginrequest check the request against the cached list of bad requests
    • If it is a bad request, build a response that I can return to the hacker (without upsetting the wasps' nest) such as a custom 404 page, etc. or redirect the user to a friendly Not Found page.
    • Log the bad request date time, etc

    Depending on your specific configuration, this approach could increase performance or it could hinder it. I would love to see others' suggestions on how to deal with this issue.

    Monday, June 25, 2012 10:36 AM
  • User1020195037 posted

    PS - Here is a link to more information about the application lifecycle if you want to go down the global.asax route.

    Also, I forgot to mention that some hack attempts are automatically handled by either iis or the application. For example (I probably should verify this), extra long urls that could potentially give your app fits automatically return a 413 status code.

    Monday, June 25, 2012 12:12 PM
  • User-1404016747 posted

    If you are running IIS 7 you can look into Dynamic IP Restrictions.
    http://www.iis.net/download/DynamicIPRestrictions

    Might help slow down the bad requests a bit.

    Monday, June 25, 2012 12:38 PM
  • User-1002157272 posted

    As the first responder mentioned above, you really need to identify what is happening when these requests are made. Are they attacking via querystrings? Are they making calls on long-running or resource-heavy routines? This will help identify how to cut out the performance hits by their attempts. Also, you mentioned that they are throwing validation exceptions. This would suggest the attackers are messing with the http request headers. It may be worth implementing a careful way of logging the request headers when request validation exceptions are thrown to see exactly what they are doing. Could save alot of time and unnecessary digging.

    Monday, June 25, 2012 1:05 PM
  • User-1260039965 posted

    The attempts are querystring attacks and attempted injections. They have not beeen successful. They are testing every "door" to see if one is unlocked.

    Tuesday, June 26, 2012 8:17 AM
  • User-1260039965 posted

    If you are running IIS 7 you can look into Dynamic IP Restrictions.
    http://www.iis.net/download/DynamicIPRestrictions

    Might help slow down the bad requests a bit.

    Thanks, I will try this although my current problem doesn't seem to be a denial of service attack. Not really sure why the querystring injection attempts are slowing downs my webserver (I am not an Admin - just forced into the role).

    Tuesday, June 26, 2012 8:24 AM
  • User-986811875 posted
    You might be plugging in scripts that are not validated on post back. Otherwise, the NObot control can handle attacks that slow down sites, this way, you do not victimize genuine traffic.
    Saturday, June 30, 2012 7:54 AM
  • User384031199 posted

    however the atempts seem to slow my website down

    First of all you will need to identify the root cause of the slowness of your website before concluding the solution. Check the usage of your site. Have you done performance tests on the site? It could be that increase in load that could be slowing down the site. A round of load test will reveal potential performance bottlenecks.

    Secondly, perform a web application security vulnerability audit/scan and ensure there are no "high/medium" alerts.

    Hope this helps.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 5, 2012 10:51 PM