I have a list of IP addresses of bots/hackers that are constantly attacking one of my sites. I want to block these visitors by IP and am trying to work out a "best" approach for this. My site uses C# ASP.NET MVC.
I have a List<int> of IP's.
Where is the best place to put the check code? I'm thinking of using the Page_Load event of a master page but could also put it in a filter to each controller...
What HTML do you return to the banned IP? I am reluctant to return a "site blocked because your IP is banned" because this will give the hackers the information they need to work around the block. The advantage of doing this is that it will give the innocent users who have been caught in the crossfire the reason why they can't access the site. My current feeling is that I should return a "Site under maintenance" notice.
What HTTP status code should I return with a fake "Site under maintenance" notice? I'm thinking 200.
Site is running on Server 2003.
If you feel your site is being "hacked" from a specific IP, you should not be blocking that IP in software, the very thing that they intend to compromise. Blocked IPs should be blocked at the firewall.
I'd have to agree with David on this for several reasons.
By blocking via software hackers/bots will still be able to abuse your resources (bandwidth, processor time, etc).
Software cant protect your site against dos attacks.
If a hacker is good they'll find a way around software blocks.
Updating blocking code will require recompiling of your application.
Your answer is in the firewall. Set up rules to block out the users and they wont be able to connect.
Sending an "under maintenance" page is a terrible idea because it'll confuse normal users and won't deter a good hacker...
While you could block the IP addresses on your outward facing servers (your web servers obviously but you may have others) this list will need to be replicated across all. By blocking on a server you're not only overcomplicating the solution but also providing a method which is not wholly secure.
The proper point to block network traffic, whether it be a select list of ports or IP addresses, is as far out on your network as you can get. This is typically a firewall/router at your entry point. These networking devices are optimized for this very purpose, as well as far beyond that. Depending on the manufacturer of your networking equipment the feature set will widely vary.
I suggest you:
Identify all routers/firewalls at the
outermost boundary. It is possible
you only have one unless you're load
balancing.
Learn how to configure the ACL
(access control list) for those
devices.
Modify the ACL based on your IP
addresses list to block.
Always save a backup of your network
device config elsewhere.
Obviuosly this is just the tip of the iceberg in security. Perhaps at some point you'll need to contend with DOS (Denial of Service attacks) and then some - oh the fun.
Good luck.
I'd stick the code in a place where it will run as soon as possible, before the server consumes too many resources .
I would say you should send back as little information as possible, ideally HTTP status 503 (Temporarily unavailable) with a short message linking to an acceptable-use page, or a page explaining to people some reasons why they MIGHT have been blocked and what to do if they feel them are blocked unfairly. You may wish to do this in text/plain instead of HTML as it will use fewer bytes :)
Using an in-memory list of blocked IPs also breaks when you have a large number of blocked addresses (say 1 million) because scanning it becomes prohibitive (remember you need to do this for every request to the relevant resource).
Ultimately you will want a way to distribute the lists of blocked IPs to all your web servers and/or keep it centralised - depending on exactly what kind of abuse you are getting or anticipating.
Having said that, you should definitely apply the YAGNI principle. If you aren't experiencing real capacity problems, don't bother blocking abusers at all. Very few sites actually do this, and most of them are things where there is a significant cost associated with running the site (such as Google search)
Related
To prevent DOS attacks in my ASP.NET C# application, i have implemented throttling with help of Jarrod's answer in this post.
Best way to implement request throttling in ASP.NET MVC?
But this uses Ip address, which makes it vulnerable to advanced attackers who can change it easily. Another option to identify anonymous users is to use their session ID. I think that it can't be changed until the user restarts the browser, so it can be a good alternative. But i am not sure from the security point of view. Kindly tell me if it is safe or not to use it? If not, then is there any other method to achieve this purpose? Thanks
Edit:
There are some methods that need a longer throttle. That's why i need a programmatic throttle of about 5 secs to 2 mins. I have configured Dynamic Ip Restrictions for IIS, but i can't specify such large time for it.
I think your terminology might be mixed up. DoS is Denial of Service. Someone changing multiple records or requesting functionality is not a DoS attack and normally, most DoS attacks are Distributed, hence DDoS.
What you are requesting based on the link you provided is called throttling... but as others have suggested, the sessionid is simply a value passed up in a cookie and can be easily modified to bypass a check just as you can simply put a proxy in front of the request to mask the source IP between requests.
Therefore, if you only wish to throttle then you need to implement authentication in front of the functionality you want to protect, use the throttling code you posted and maybe throw a CSRF token in as well for good measure.
BUT... if you want to stop DDoS, it ain't going to happen at Layer 7 since the data is already at the server.
I have a security course project. It asks to enter a given website and download its information 20 times(site has 20 subpages), then parse etc. I am using c#'s downloadstring to download and parse the page. However, after the fifth time, website finds out that I am doing those downloads as a robot(programmatically).
What I create as a program is successful until the sixth request.
I download the content and parse the desired information. When I reach the sixth subpage, my pc is blocked.
It is not related with time interval. Because, I used random generated timeouts between 6-12 seconds. However, that does not help. It is definitely related with entry counter of the webpage. It is like " not give permission after 5 request in 30 minutes. If it passes the limit then block it for a (or more) day". Since, I have been blocked for many times. I am using my phone's Hotspot.
I find a solution while I am searching on the internet. People are using IP changing methods via netsh etc. However, I think my IP is static (WiFi) and I could not figure out how to change it programmatically in C# Windows Forms App.
Because of that, I would like to hear your thoughts.
Your ISP most likely gives you a single Dynamic IP Address, which is the IP Address of your computer's access point to the Internet (i.e. the WAN). If so, they control the IP and not you. Even if you have a home network with multiple computers all on different local IP Addresses (LAN), you still aren't changing your WAN IP address which is the address that is effectively blocked.
Also, I am not going to judge, but I would say that if this is for an actual course project, then ethically speaking your instructor most likely would not want you to hammer an innocent website any more than the website's owner wishes for you to hammer it, hence the blocking. My suggestion would be to set your sites on another website that does not have the blocking to complete your coursework. Maybe you can do this against Google.com?
If you really need to make a request through a different IP address you could link your application up to several different proxies and switch between them at intervals.
Also, you mention that your IP is static, but there is a difference between your local IP and your external IP address. The IP address given to your WiFi connection is local, but the external IP address which is the one that would be seen by Internet sites is not the same.
If you have a dynamic external IP address one option might be able to programmatically connect to your router and restart it. This is one way to trigger an IP address update if you actually have access to it.
Overall, what you are doing is difficult to achieve for what sounds to be a simple assignment.
Here's a rather involved and eccentric solution that would, however, get around the problem nicely. Create 4 Amazon EC2 t2.micro instances (Windows) and issue 5 requests each from the EC2 instances. You can store the result to S3 buckets. It would take you a lot of work to get this working, but you'd come out the other end also having your first experience of working in the cloud. And each of those instances would have a different IP.
Also if you spin the same instance up and down a few times, it's unlikely to have the same ip in any case, so you could easily get away with one instance.
In a more serious vein: experiment with changing your user agent string and adding a much more hefty amount of time (minutes, hours) between requests. Also, turn your hotspot on and off between every five request, which will likely give you a new IP each time.
I want to get the IP address I am being NATed behind (e.g. the one presented to the outside world, rather than my local IP).
Something like the result you get from www.ipchicken.com.
How can I get this? The local IP info is easy to find, but I have no idea how to go about getting the IP assigned from the ISP.
The reason I need it is that my network infrastructure is such that I have two gateways out of the network. If one fails, it trips over transparently to the other. All well and good, but there is no alerting mechanism to tell me that I have failed over.
I believe it's quite hard to get this information. I guess another approach I could take is by putting a webservice on an externally hosted webserver - the idea being that it returns the IP of the querying host. (However, I have no idea how to do this either!) I suspect this might be the easiest way to go.
Your computer does not have access to this information locally; you need to get it from one of the many network services which do this.
There are lot's of ip services
This one, for example. Just make a GET request and parce a simple html : http://checkip.dyndns.org/
Some more details about this service (Policies and rules):
http://dyn.com/support/developers/checkip-tool/
upd
If you need to check your IP frequently you'd better to add your own web-service. .dyndns.org allows to check the ip once for 10 minutes.
You can run some .net code on web-service:
((IPEndPoint)tcpClient.Client.RemoteEndPoint).Address.ToString();
But I think a script language (python?) will be more suitable.
This is a very broad question, but hopefully I can get useful tips. Currently I have an ASP.NET application that runs on a single server. I now need to scale out to accommodate increasing customer loads. So my plan is to:
1) Scale out the ASP.NET and web component onto five servers.
2) Move the database onto a farm.
I don't believe I will have an issue with the database, as it's just a single IP address as far as the application is concerned. However, I am now concerns about the ASP.NET and web tier. Some issues I am already worried about:
Is the easiest model to implement just a load balancer that will farm out requests to each of the five servers in a round-robin fashion?
Is there any problem with HTTPS and SSL connections, now that they can terminate on different physical servers each time a request is made? (for example, performance?)
Is there any concern with regards to session maintanence (logon) via cookies? My guess is no, but can't quite explain why... ;-)
Is there any concern with session data itself (stored server side)? Obviously I will need to replicate session state between servers, or somehow force a request to only go to a single server. Either way, I see a problem here...
As David notes, much of this question is really more of an Administrative thing, and may be useful on ServerFault. The link he posts has good info to pore over.
For your Session questions: You will want to look at either the Session State Service (comes with IIS as a separate service that maintains the state in common between multiple servers) and/or storing asp.net session state in a SQL database. Both are options you can find at David Stratton's link, I'm sure.
Largely speaking, once you set up your out-of-process session state, it is otherwise transparent. It does require that you store Serializable objects in Session, though.
Round-Robin DNS is the simplest way to load-balance in this situation, yes. It does not take into account the actual load on each server, and also does not have any provision for when one server may be down for maintenance; anyone who got that particular IP would see the site as being 'down', even though four other servers may be running.
Load balancing and handling SSL connections might both benefit from a reverse proxy type of situation; where the proxy handles all the connections coming in, but all it's doing is encryption and balancing the actual request load to the web servers. (these issues are more on the Administration end, of course, but...)
Cookies will not be a problem provided all the web servers are advertising themselves as being the same web site (via the host headers, etc). Each server will gladly accept the cookies set by any other server using the same domain name, without knowing or caring what server sent it; It's based on the host name of the server the web browser is connecting to when it gets a cookie value.
That's a pretty broad question and hard to answer fully in a forum such as this. I'm not even sure if the question belongs here, or if it should be at serverfault.com. However....
Microsoft offers plenty of guidance on the subject. The first result for "scaling asp.net applications" from BING comes up to this.
http://msdn.microsoft.com/en-us/magazine/cc500561.aspx
I just want to bring up areas you should be concerned about with the database.
First off, most data models built with only a single database server in mind require massive changes in order to support a database farm in a multimaster mode.
If you used auto incrementing integers for your primary keys (which most people do) then you're basically screwed out of the gate. There are a couple ways to temporarily mitigate this but even those are going to require a lot of guesswork and have a high potential of collision. One mitigation involves setting the seed value on each server to a sufficiently high number to reduce the likelihood of a collision... This will usually work, for awhile.
Of course you have to figure out how to partition users across servers...
My point is that this area shouldn't be brushed off lightly and is almost always more difficult to accomplish than simply scaling "up" the database server by putting it on bigger hardware.
If you purposely built the data model with a multi-master role in mind then kindly ignore. ;)
Regarding sessions: Don't trust "sticky" sessions, sticky is not a guarantee. Quite frankly, our stuff is usually deployed to server farms so we completely disable session state from the get go. Once you move to a farm there is almost no reason to use session state as the data has to be retrieved from the state server, deserialized, serialized, and stored back to the state server on every single page load.
Considering the DB and network traffic from just and that their purpose was to reduce db and network traffic then you'll understand how they don't buy you anything anymore.
I have seen some issues related to round robin http/https sessions. We used to use in process sessions and told the load balancers to make the sessions sticky. (I think they use a cookie for this).
It let us avoid SQL sessions but meant that when we switched from http to https, our F5 boxes couldn't keep the stickiness. We ended up changing to SQL sessions.
You could investigate pushing the encryption up to the load balancer. I remember that was a possible solution for our problem, but alas, not one we investigated.
The session database on an SQL server can be easily scaled out with little code & configuration changes. You can stick asp.net sessions to a session database and irrespective of which web server in your farm serves the request, your session-id based sql state server mapping works flawless. This is probably one of the best ways to scale out the ASP.NET Session state using SQL server. For more information, read the link True Scaleout model for session state
Alright, this question sounds a bit stupid, I know. I've looked at some of the other questions about it and I'm getting inconsistent results, even though I am finding the right answers. I'll try to lay it out as plainly as I can.
I have a problem where a large number of visitors to my site are using a ...I use the term popular very loosely, internet service (AOL) to access it. This is beyond my control. It is a large part of the userbase and I cannot stop them from using its built in browser (which derives from IE).
Now, this isn't the inherit problem. The problem is that any sites accessed through the browser go through one of their proxies. This does not cause any conflicts, but we need to know who is unique and who isn't for some specific reasons.
I have an installation of a popular message board system called "Invision Power Board". It tracks people's IP Address's and it has a feature to resolve an IP. So, I can click on an IP, and it will 'resolve' to a host like ..
IP XX.XXX.XX.XXX resolves to cache-dtc-ae16.proxy.aol.com.
Now I understand kind of what is going on here. cache-dtc-ae16.proxy.aol.com is a proxy, so I can't do much about that. I've come to terms with that. The code that does this is in IPB, and I don't speak PHP, so I'm SOL in that department.
I know how to get a User's IP Address.
HttpContext.Request.UserHostAddress
What I want to know is this ... from an IP, how can I 'resolve' to that proxy, in C#? I basically want to setup a specific part of code that denies anything from a proxy that has .aol. in it.
Does what I am trying to make any sense, is it even feasible or possible? I may be completely missing the terminology. I believe I understand this much.
UserHostAddress is the **client's** IP Address
Here is what I have tried, basically.
System.Net.Dns.GetHostEntry(System.Net.IPAddress.Parse(HttpContext.Request.UserHostAddress)).Aliases
are you trying to get the domain name from the ip?
it looks like your answer is in this question here
IPHostEntry IpToDomainName = Dns.GetHostEntry("209.85.129.103");
string HostName = IpToDomainName.HostName; //it returns "fk-in-f103.1e100.net"
This is a limitation of TCP protocol. The address is part of the TCP packet and as far as I know, routers and switches and NATs and proxies change the address and put their own.
As far as I know, there is no way around it. Proxy's address is as good as you gonna get.
I believe even TCP packet's MAC (physical) address is going to be proxy's but that is something to look at although not sure if you can get that in ASP.NET runtime since a request can come in multiple TCP packets.
try this
NullifyNetwork - A comprehensive Microsoft DNS Server management implementation in C#