5

My little ASP.NET MVC application is getting quite a few requests to bogus "setup.php" pages (easily 200+ per week). I'm guessing this is some bot attempting to find vulnerable sites on the web to hack. It's not a huge issue, but it does tend to fill up my error logs with junk and can make it harder to find real issues that need to be fixed.

What I'd like to do is create a route to handle all .php requests (and potentially other clearly bogus extensions) and handle them in some way. What would be fantastic would be to immediately abort the request so that my application isn't wasting time/bandwidth on creating and sending a response (even if it's just a 404). Also, assuming these are malicious requests, it would be great to make their server sit and wait for a timeout instead of getting an immediate response and quickly moving on to try someone else's servers :)

So, I guess this is a 2 part question.

  1. Is it possible to simply stop processing a request in ASP.NET/MVC without sending a response

  2. Is there a better solution to this issue?

herbrandson
  • 2,357
  • 2
  • 30
  • 44

3 Answers3

3

If you're using IIS7 checkout http://learn.iis.net/page.aspx/499/request-blocking---rule-template/

This can be specified in your web.config as well

<system.webServer>
    <rewrite>
        <rules>
            <rule name="RequestBlockingRule1" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>
UpTheCreek
  • 31,444
  • 34
  • 152
  • 221
Ryan Sampson
  • 6,717
  • 12
  • 47
  • 55
  • This is a really nice solution. But, it looks like this is going to return a 403 and it would be even cooler if there was a way to not actually return anything. I'd really love to just kill the request and not send anything back to the client. – herbrandson Oct 21 '11 at 21:42
  • 1
    @herbrandson: Just change the action to This element tells the URL Rewrite Module to end the HTTP request. Info taken from site (in the access block section 2/3 down the page): http://learn.iis.net/page.aspx/461/creating-rewrite-rules-for-the-url-rewrite-module/ – Tommy Oct 22 '11 at 06:16
0

You could try to return an EmptyResult . I've never tried that but the documentation says "Represents a result that does nothing, such as a controller action method that returns nothing."

saintedlama
  • 6,838
  • 1
  • 28
  • 46
0

The best solution would be to just setup proper 404 handling in your project and return a 404 Not Found page so that you don't keep getting the unhandled exception messages. This way you aren't coding something just for these bots but you are actually coding something useful for all users that may accidently end up on a bad or dead link (it happens). This question and answer has a lot of good options. You could use those options, and if you still really wanted to send no response, you could call Response.Clear and Response.End to return no response if the url was for index.php. The key is adding the catch-all route to handle all requests that don't match to exisitng controllers/actions.

Community
  • 1
  • 1
bkaid
  • 51,465
  • 22
  • 112
  • 128