![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Technical question
We're getting hundreds of requests per day against our web server every day that look like this:
http://www.servername.com/index.asp?parm1=x&parm2=y&parm3=z&parm4=http://someotherserver.com/blahblahblah&parm5=a&and=so&on=1
In our web apps we pass SQL query parameters using the browser's address line - all of our queries take the form of stored procedures so the security risk is much reduced.
My question is: what's the purpose? What is the supposed hacker trying to do?
We're already using IIS to block site access by IP address, but we're getting hit so often that entering those IPs - even using ranges - could end up a full-time job. Plus, as I understand it, having too many entries can slow website performance. We're in talks with our ISP about blocking at the firewall level, but they have no history of being terribly helpful.
http://www.servername.com/index.asp?parm1=x&parm2=y&parm3=z&parm4=http://someotherserver.com/blahblahblah&parm5=a&and=so&on=1
In our web apps we pass SQL query parameters using the browser's address line - all of our queries take the form of stored procedures so the security risk is much reduced.
My question is: what's the purpose? What is the supposed hacker trying to do?
We're already using IIS to block site access by IP address, but we're getting hit so often that entering those IPs - even using ranges - could end up a full-time job. Plus, as I understand it, having too many entries can slow website performance. We're in talks with our ISP about blocking at the firewall level, but they have no history of being terribly helpful.
no subject
-- buffer overflow - I'm not familiar enough with IIS to know if there is a buffer overflow exploitation where a properly embedded URL within a GET request causes the parser to puke and/or redirect to the embedded URL
-- brute force against a known toolkit for ASP / IIS or something else - Developers use a lot of 3rd party tools to develop sites. It's possible that a toolkit has an exploit where a parameter called a particular thing does stuff that the exploiters could find useful
-- cross-site scripting - This would depend on what the actual query is about, but it could be trying to inject some .js or somesuch to read cookies from the client machine.
It may not even necessarily be malicious... it could be trying to route higher traffic volumes to the site to drive ad revenue or something.
It's more likely than not that it's a brute force application that takes incoming URLs or scans browser history or just hits webservers at random and sends requests with known exploits hoping to find one. May not even be IIS or your application specific. Just fishing (... or phishing if you prefer)... cause 30-40% of admins don't keep their stuff updated very well.
As for blackholing, yeah, if you have a bunch it can slow things down (it has to scan all incoming packets against the list.) I use a collection of tools to shitcan any ip that sends a request that's not valid or legitimate automatically, so I don't have to maintain a list unless I want to. Periodically I delete the master file and seed it with known bads and it starts over.
- Jeho
no subject
Hope the list today helped. I'd have sent it sooner but it was hell-no-lj day at work yesterday/today.