17

Some script kiddie in Delhi, India has been trying to hack our site since last night. He wrote a browser script that makes requests of our server in massive nested loops, trying everything under the sun.

He's not getting anywhere, and isn't getting past even our basic defenses (but he is filling up our log files).

We're sending back a 403 Unauthorized to his requests almost as soon as they come in, but the faster we block his requests, the faster his script runs.

We would like to introduce a "delay" of some sort before sending back the 403 response. The longer, the better.

Question: How can we delay hack attempts without affecting the rest of the site?

  • I assume that a Sleep(15000) on his thread would be bad news for other site visitors.
  • Spinning up a new thread just for him seems like overkill.
  • Is there another way to send a delayed response?
  • How long can we force his browser to wait? I suppose I don't care much if he gets the 403 Unauthorized error or eventually times out, so we could probably even do an indefinite / infinite wait.
Flipster
  • 271

9 Answers9

37

There should be a separate firewall somewhere in front of your web server. You want to block the requests there from ever reaching your server, such that as far his IP is concerned your server doesn't exist any more.

Joel Coel
  • 13,117
5

There are actual intrusion detection systems big and small that will do this automatically for you depending on the various filters, honeypots and other mechanisms

For example see fail2ban which can be configured to take actions based on analysis of logs.

This way you can

  • easily filter single IP address from which an attack is coming without influencing other users of your site
  • you can write your own regex to analyze logs
  • you can define your own actions (throttle instead of ban, etc)

There are other and bigger tools, see the see also section on wikipedia.

As your question is marked as asp.net I assume your server platform is windows. Still, if using linux firewall is an option you can try the above

  • put a linux firewall between WAN and your server
  • give access to the firewall machine to your IIS logs
  • write regex to analze it
  • plug it into existing templates for banning

Such firewall can be run on extremely modest hardware - think even something like linksys routers (see here) for very decent link bandwidths.

Unreason
  • 1,146
  • 1
  • 8
  • 22
4

If they come from a specific IP address or address block, you may want to add a blackhole route to it:

ip ro add blackhole 10.69.96.0/24
ip ro flush cache

You can also accomplish this by using an iptables rule, but realize that iptables rules are traversed linearly, so if you start adding iptables rules for every miscreant that comes along, you can start to eat up a lot of CPU. Routing tables are optimized for handling many, many entries. For example, one of my boxes has 350K entries in it's routing table with no problem. But if I had 3K iptables rules the box would almost certainly fall over.

If you try doing something where your application sleeps for many seconds on these connections, you may end up tieing up enough resources that legitimate requests can't get any resources.

Sean Reifschneider
  • 10,990
3

You do not want to slow him down because slowing him down incorrectly will take your site down as if it was under a DoS attack because your threads will be 'busy' servicing this person's requests. What you want to do is to block his IP and be done with it. There is no reason to bait the person doing it.

sybreon
  • 7,455
0

If you're using linux, use iptables to limit the guy to like 1 byte/s with big delays and make him take forever to even get one request through. If it's distributed, that won't help much.

I'm not sure how you'd do it on Windows, but you may find some similar options in your router or hardware firewall, if you have one.

EDIT: Agreed with the above, this is more like a server fault question.

Robert
  • 146
0

If the IP address of the guy's pretty constant you could create a custom HttpModule, plug it in via a change in the web.config file and have a delay on it when it's recognized as this IP address. Or you can send him back some 404 codes or have him redirected to somewhere else.

Kris van der Mast
  • 103
0

You know they're in India. Does your site have significant Indian patrons which would preclude simply blocking their entire IP range at the firewall level in increments until the flow stops? It's certainly not a firm solution but if you're just dealing with a typical 'script kiddie' it should be enough to discourage them and send them to another target.

Even better, if it's from one IP, you could reply with your own denial of service attack :)

Nathan Chere
  • 159
0

In addition to the answer you received, you will want to save your documentation (logs, traces) and supply them to your service provider. This is the most effective during the incident as your provider can witness the incursion. Even though you are successful in your measures, it's important to curtail further attempts and it helps your provider in escalating a request to the attacker's service provider; arguably the most efficient action is for the attacker's provider to refuse service to his customer, the identified attacker.

corin
  • 1
0

if your a programmer you could work with the .net Begin_Request event and put your "sleep" in there

Letseatlunch
  • 141