ASP.NET MVC3 - what do you do with probing requests?

Question

our site went online and of course, we started to receive loads of probing requests, like

'/blog/wp-login.php'
'/admin/admin.php'

etc.
So question is, what do you do with them?

Right now in each case 404 error is thrown and elmah sends email about it, but I think it would be better to ignore at least all php requests at all.

How to do that, that such requests would minimally load server, may be it is possible to do, that asp.net pipeline would be not involved in such requests?
Or is it better to redirect, or return empty result?

If that would require simply add IgnoreRoutes, may be someone has good set of routes, that would ignore most of the probing requests?

Answer 1

I know that you have stated the you don't want to use the rewrite module in IIS as it 'adds additional load on IIS', but in truth, using IIS to handle these will be less intensive than passing into your application to do the same thing (even though both are extremely small resource-wise). If you want to ignore the request with the minimal amount of load on IIS and your bandwidth, I would suggest the following

<rewrite>
  <rules>
    <rule name="Fail PHP requests">
      <match url=".*"/>
      <conditions>
        <add input="{URL}" pattern="*.php*" />
      </conditions>
      <action type="AbortRequest" />
    </rule>
   </rules>
</rewrite>

This rewrite with the action type set to AbortRequest completely severs the HTTP connection and drops the request, no 404 or 403 errors returned. Taken from Learn IIS in the 'Creating an Access Block' section.

EDIT - Since there are concerns from the OP on using the rewrite module and performance, I am going to submit a second option that may still catch .php request without using the rewrite module. IIS7 and above also support Request Filtering and according to Learn IIS, Request filtering is...

The request filtering module runs at the beginning of the request processing pipeline by handling the BeginRequest event. The module evaluates the request metadata, such as headers, the query string, content length, etc, in order to determine whether the request metadata matches any existing filter. If there is a match, the module generates a 404 (File Not Found) response and then shortcuts the remainder of the IIS pipeline

To implement, add the following section to your web.config:

<configuration>
 <system.webServer>
  <security>
   <requestFiltering>
    <fileExtensions allowUnlisted="true" >
     <add fileExtension=".php" allowed="false"/>
    </fileExtensions>
   </requestFiltering>
  </security>
 </system.webServer>
</configuration>

Information from URL Rewrite vs Request Filtering and Using Request Filtering

Answer 2

This is what I have used on one of my project in web.config having a PHP as sub application:

<system.webServer>
    <rewrite>
        <rules>
            <rule name="ignorePhp" patternSyntax="Wildcard">
                <match url="*" />
                <conditions>
                    <add input="{URL}" pattern="*.php*" />
                </conditions>
                <action type="CustomResponse" statusCode="403" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

UPDATE

You may also look at this post too