IP and Domain Restrictions

Question

Our ASP.NET website is hosted on a windows server 2008 and IIS7.

Recently we have a problem with "attacks" from certain IPs that generate a lot of errors by submitting different forms with invalid parameters.

I'd like to be able to block a list of IP addresses for 24hrs based on a list generated from the asp.net code. I know it is possible to achieve this using Web.config - ipSecurity Tag. I’ve found the following example:

http://www.dantor.com/support/misc/web-config-ip-address-restriction.aspx

The problem is that changing/updating the web.config will cause the website to restart/recycle.

Is it possible to update the blocked IP list without pool recycle?

EDIT:

Maybe a better idea would be to implement this using HttpModule - Scott Hanselman wrote a post on this subject in his blog: http://www.hanselman.com/blog/AnIPAddressBlockingHttpModuleForASPNETIn9Minutes.aspx

Do you think this is will cause a performance hit ? Routing all of websites requests through the httpmodule could have an effect in terms of page load time ? Any other idea of how to get this done ?

EDIT 2:

The website is protected by a Fortigate 200a firewall , but from my knowledge firewall isn't able to automatically block IP's that generate errors or try to do SQL injection.

Answer 1

Is it possible to update the blocked IP list without pool recycle?

I'm going to stick my neck out here and say that it is not.

Do you think using an HttpModule is will cause a performance hit?

Yes. A significant one, probably not. But make sure that the IP address lookup part is very efficient. Cache the list in a HashSet for example and don't read the list from a file every time.

The problem is you are still using your web request processing power to fend off the duff requests. But this is likely to be less than the processing you do to find out if the request is duff if you don't block the IP, so overall it may actually be a performance gain. There is a risk however that you get so many requests from these IP addresses that it overwhelms your server.

Other Options

It may well be possible to install a software firewall or use the Windows built in firewall.

As others have said getting a hardware firewall will take the load off your server entirely. You can get ones that can be updated dynamically by your web server to ban IP addresses. Though I've never used one so can't recommended one or comment on how well they work. If you are on a cloud based setup it may be worth discussing with your service provider what they can do.

One thing to consider about updating the firewalls is do you really want to allow your web application the security privilege of being able to update the firewall? Sounds like a security flaw waiting to happen so be extremely careful about how this is done and ensure the security privilege only allows adding IPs to the block list.

If you are really getting hammered you can route all your traffic through a third party ddos protection service like this one from VeriSign. But expect to pay bucks for the privilege.

Is App pool recycling such a bad thing?

Something else that just occurred to me is that having the application pool recycle may not be as bad as you would think. Assuming you are using a shared state server it may well be that none of your users would actually notice this happen. The reason being that IIS normally runs two processes in parallel for a short period of time while recycling so that new requests get processed by the new process and requests that have already started get finished on the old process. It is only when all outstanding request have been processed by the old process that IIS kills it off. As long as you are not storing state in-memory this normally means that users of your site don't notice the switch over.