2

I have a list of IP addresses of bots/hackers that are constantly attacking one of my sites. I want to block these visitors by IP and am trying to work out a "best" approach for this. My site uses C# ASP.NET MVC.

I have a List<int> of IP's.

Where is the best place to put the check code? I'm thinking of using the Page_Load event of a master page but could also put it in a filter to each controller...

What HTML do you return to the banned IP? I am reluctant to return a "site blocked because your IP is banned" because this will give the hackers the information they need to work around the block. The advantage of doing this is that it will give the innocent users who have been caught in the crossfire the reason why they can't access the site. My current feeling is that I should return a "Site under maintenance" notice.

What HTTP status code should I return with a fake "Site under maintenance" notice? I'm thinking 200.

Site is running on Server 2003.

Guy
  • 65,082
  • 97
  • 254
  • 325
  • How are you fitting IPs into a List ? :) – Ariel Dec 23 '09 at 17:07
  • 2
    An IP address is a 32-bit sequence. Coincidentally, so is `System.Int32`. Note that IP addresses are often represented as text in a particular format: with octets in decimal representation and separated by periods. – yfeldblum Dec 23 '09 at 17:10
  • For those interested, methods to convert IP to Int --> http://www.justin-cook.com/wp/2006/11/28/convert-an-ip-address-to-ip-number-with-php-asp-c-and-vbnet/ – Nate Dec 23 '09 at 17:55
  • Correct - I convert the 4 octets into an int because it's more efficient and easier to work with. I also store them as ints in the DB. This allows me to search for ranges of IP's very quickly especially if I index that column. – Guy Dec 23 '09 at 18:17
  • Why are you using Page_Load for ASP.NET MVC? Wrong paradigm. Webforms is that way. :-) – George Stocker Dec 23 '09 at 20:04

4 Answers4

12

If you feel your site is being "hacked" from a specific IP, you should not be blocking that IP in software, the very thing that they intend to compromise. Blocked IPs should be blocked at the firewall.

David
  • 24,700
  • 8
  • 63
  • 83
  • 4
    Or if you can't do that in the firewall, do it in IIS. – Wyatt Barnett Dec 23 '09 at 17:03
  • So how would I do that in IIS or in the Firewall? Also what would you return to the blocked IP? – Guy Dec 23 '09 at 17:08
  • For a real firewall a blocked IP simply means that *no* response is sent to that address - packets are ignored completely (this prevents TCP based DoS attacks from that IP). You *can* go more advanced and use a Firewall proxy in your server setup, which would allow it to serve or redirect requests from specific IP addresses. – David Dec 23 '09 at 17:31
  • How you block an IP on your Firewall depends on the firewall you are using - Windows built in firewall (not really that great for server setups, meant more for home users), a 3rd party firewall like ZoneAlarm, or best for a real server setup, a hardware firewall, which is a dedicated box sitting between the server and the internet (many routers and most managed switches include a basic hardware firewall or IP policy tool). – David Dec 23 '09 at 17:34
  • To block an IP in IIS, go to your website properties, click on the "Directory Security" tab, then click on the Edit button under "IP Address and Domain Name Restrictions". This will show a window that lets you add IP addresses or ranges to block (or you can configure it to allow *only* those addresses, known as a white list) – David Dec 23 '09 at 17:36
3

I'd have to agree with David on this for several reasons.

  1. By blocking via software hackers/bots will still be able to abuse your resources (bandwidth, processor time, etc).

  2. Software cant protect your site against dos attacks.

  3. If a hacker is good they'll find a way around software blocks.

  4. Updating blocking code will require recompiling of your application.

Your answer is in the firewall. Set up rules to block out the users and they wont be able to connect.

Sending an "under maintenance" page is a terrible idea because it'll confuse normal users and won't deter a good hacker...

Ariel
  • 4,502
  • 2
  • 21
  • 23
  • How would normal users not be confused if they are the innocent victims using a previously abused IP address by blocking at firewall? i.e. you have to return something to the client? What is that something? – Guy Dec 23 '09 at 17:11
  • Guy: @1: see http://www.google.com/search?q=block+ip+address+iis @2: leave it to the browser. it will spit out a nice message such as "Firefox can't establish a connection to the server at ." – reinierpost Dec 23 '09 at 17:31
  • There's no "pretty" way to display such a message. Better to be very specific with IP addresses to avoid false-positives... – Ariel Dec 23 '09 at 17:35
2

While you could block the IP addresses on your outward facing servers (your web servers obviously but you may have others) this list will need to be replicated across all. By blocking on a server you're not only overcomplicating the solution but also providing a method which is not wholly secure.

The proper point to block network traffic, whether it be a select list of ports or IP addresses, is as far out on your network as you can get. This is typically a firewall/router at your entry point. These networking devices are optimized for this very purpose, as well as far beyond that. Depending on the manufacturer of your networking equipment the feature set will widely vary.

I suggest you:

  • Identify all routers/firewalls at the outermost boundary. It is possible you only have one unless you're load balancing.
  • Learn how to configure the ACL (access control list) for those devices.
  • Modify the ACL based on your IP addresses list to block.
  • Always save a backup of your network device config elsewhere.

Obviuosly this is just the tip of the iceberg in security. Perhaps at some point you'll need to contend with DOS (Denial of Service attacks) and then some - oh the fun.

Good luck.

BigBrother
  • 1,100
  • 1
  • 9
  • 17
2

I'd stick the code in a place where it will run as soon as possible, before the server consumes too many resources .

I would say you should send back as little information as possible, ideally HTTP status 503 (Temporarily unavailable) with a short message linking to an acceptable-use page, or a page explaining to people some reasons why they MIGHT have been blocked and what to do if they feel them are blocked unfairly. You may wish to do this in text/plain instead of HTML as it will use fewer bytes :)

Using an in-memory list of blocked IPs also breaks when you have a large number of blocked addresses (say 1 million) because scanning it becomes prohibitive (remember you need to do this for every request to the relevant resource).

Ultimately you will want a way to distribute the lists of blocked IPs to all your web servers and/or keep it centralised - depending on exactly what kind of abuse you are getting or anticipating.

Having said that, you should definitely apply the YAGNI principle. If you aren't experiencing real capacity problems, don't bother blocking abusers at all. Very few sites actually do this, and most of them are things where there is a significant cost associated with running the site (such as Google search)

MarkR
  • 62,604
  • 14
  • 116
  • 151