IP and Domain Restrictions

Asked 21/7, 2014 at 11:59 Answered 7/12, 2014 at 14:1

Solved c#iis iis-7 windows-server-2008 ip-restrictions

Our ASP.NET website is hosted on a windows server 2008 and IIS7.

Recently we have a problem with "attacks" from certain IPs that generate a lot of errors by submitting different forms with invalid parameters.

I'd like to be able to block a list of IP addresses for 24hrs based on a list generated from the asp.net code. I know it is possible to achieve this using Web.config - ipSecurity Tag. I’ve found the following example:

http://www.dantor.com/support/misc/web-config-ip-address-restriction.aspx

The problem is that changing/updating the web.config will cause the website to restart/recycle.

Is it possible to update the blocked IP list without pool recycle?

EDIT:

Maybe a better idea would be to implement this using HttpModule - Scott Hanselman wrote a post on this subject in his blog: http://www.hanselman.com/blog/AnIPAddressBlockingHttpModuleForASPNETIn9Minutes.aspx

Do you think this is will cause a performance hit ? Routing all of websites requests through the httpmodule could have an effect in terms of page load time ? Any other idea of how to get this done ?

EDIT 2:

The website is protected by a Fortigate 200a firewall , but from my knowledge firewall isn't able to automatically block IP's that generate errors or try to do SQL injection.

Storz answered 21/7, 2014 at 11:59 Comment(8)

hey, first there isnt a way of modifing the config file and not recycle the site ( that i know of ). but i did find this blog that says that in IIS 7 those configuration are not saved in the config file so you can try this. here is the link :weblog.west-wind.com/posts/2007/Apr/28/… – Froissart 2/12, 2014 at 15:28

The amount of time you spend writing the code for this would probably be better spent on a hardware firewall that would do it for you. – Goldbrick 2/12, 2014 at 17:29

Agree with @Goldbrick better to use a firewall (maybe the built-in on window) HttpModule and web.config is not a better idea because the request is managed by IIS and consume resource. – Macrobiotics 3/12, 2014 at 10:56

I would mihnus that answer - a hardware firewall makes little sense in 2014. Just put your site behind something like CloudFlare and you can not only gain perforamnce, it also costs 0. – Miramontes 7/12, 2014 at 14:5

@Miramontes , CloudFlare or Incapsula are a possible solution , but i already have a hardware firewall , using their solution costs $200 on cloudflare and $300 for incapsula per month. Plus sending all website traffic through their proxies doesn't seem like best performance wise solution. – Storz 7/12, 2014 at 16:8

@sharru Really? How come? Given that cloudflare is 0 to 20 USD per month for most sites. Also - your comment is ignorant towards the significant performance gains you can get from all their proxies in the world.... caching your output. They are a CDN also, which means BETTER performance if you use them right. – Miramontes 7/12, 2014 at 17:4

@Miramontes cloudflare $20 package doesn't get you the full package - if you want ddos protection you need the CloudFlare Business.($200) , I'm not ignoring the performance gains they provide (or advertise) but i also consider the fact that traffic must be routed to their servers & back which must result in some latency. Anyway if going to this direction it think incapsula is better , read: tonyonsecurity.com/2013/03/09/… – Storz 7/12, 2014 at 19:49

This. Is. Wrong. If you want full DDOS protection - but a lot of the basic protection is in the free package. It would help to - READ. not just glance over the texts. – Miramontes 7/12, 2014 at 20:33

Is it possible to update the blocked IP list without pool recycle?

I'm going to stick my neck out here and say that it is not.

Do you think using an HttpModule is will cause a performance hit?

Yes. A significant one, probably not. But make sure that the IP address lookup part is very efficient. Cache the list in a HashSet for example and don't read the list from a file every time.

The problem is you are still using your web request processing power to fend off the duff requests. But this is likely to be less than the processing you do to find out if the request is duff if you don't block the IP, so overall it may actually be a performance gain. There is a risk however that you get so many requests from these IP addresses that it overwhelms your server.

Other Options

It may well be possible to install a software firewall or use the Windows built in firewall.

As others have said getting a hardware firewall will take the load off your server entirely. You can get ones that can be updated dynamically by your web server to ban IP addresses. Though I've never used one so can't recommended one or comment on how well they work. If you are on a cloud based setup it may be worth discussing with your service provider what they can do.

One thing to consider about updating the firewalls is do you really want to allow your web application the security privilege of being able to update the firewall? Sounds like a security flaw waiting to happen so be extremely careful about how this is done and ensure the security privilege only allows adding IPs to the block list.

If you are really getting hammered you can route all your traffic through a third party ddos protection service like this one from VeriSign. But expect to pay bucks for the privilege.

Is App pool recycling such a bad thing?

Something else that just occurred to me is that having the application pool recycle may not be as bad as you would think. Assuming you are using a shared state server it may well be that none of your users would actually notice this happen. The reason being that IIS normally runs two processes in parallel for a short period of time while recycling so that new requests get processed by the new process and requests that have already started get finished on the old process. It is only when all outstanding request have been processed by the old process that IIS kills it off. As long as you are not storing state in-memory this normally means that users of your site don't notice the switch over.

Eva answered 5/12, 2014 at 18:12 Comment(3)

What do you think about the example code i provided ? hanselman.com/blog/… , Can you provide a better code to manage the blocked ip list ? I did look into incapsula.com solution which i think is similar to verisigninc. – Storz 7/12, 2014 at 13:43

Most simple - put a proxy ion froint that does DDOS protection. CloudFlare. Price: 0. – Miramontes 7/12, 2014 at 14:4

As usual with Scott his implementation is a good one. It uses a StringDictionary with no value which is much the same thing as using a HashSet<String>. Also the results are cached dependent upon the file changing. So really I can't see any way to improve it. – Eva 8/12, 2014 at 10:2

I'm joining DavidG, use NetShell to add rules from command line or even add rules from your code (c# example), that should affect immediately without a restart.

Use HTTP Module only if you want to receive the request (for example, the IP addresses belong to a corporate or a hotspot and you wish to analyse Cookies before terminating the request), Firewall will refuse the connection long before data is even sent to your server.

Hyperplasia answered 7/12, 2014 at 14:1 Comment(0)

Recommended topics

Hot tags