How to Slow Down a Hacker

asp.net hacking

Some script kiddie in Delhi, India has been trying to hack our site since last night. He wrote a browser script that makes requests of our server in massive nested loops, trying everything under the sun.

He's not getting anywhere, and isn't getting past even our basic defenses (but he is filling up our log files).

We're sending back a 403 Unauthorized to his requests almost as soon as they come in, but the faster we block his requests, the faster his script runs.

We would like to introduce a "delay" of some sort before sending back the 403 response. The longer, the better.

Question: How can we delay hack attempts without affecting the rest of the site?

  • I assume that a Sleep(15000) on his thread would be bad news for other site visitors.
  • Spinning up a new thread just for him seems like overkill.
  • Is there another way to send a delayed response?
  • How long can we force his browser to wait? I suppose I don't care much if he gets the 403 Unauthorized error or eventually times out, so we could probably even do an indefinite / infinite wait.

There should be a separate firewall somewhere in front of your web server. You want to block the requests there from ever reaching your server, such that as far his IP is concerned your server doesn't exist any more.


There are actual intrusion detection systems big and small that will do this automatically for you depending on the various filters, honeypots and other mechanisms

For example see fail2ban which can be configured to take actions based on analysis of logs.

This way you can

  • easily filter single IP address from which an attack is coming without influencing other users of your site
  • you can write your own regex to analyze logs
  • you can define your own actions (throttle instead of ban, etc)

There are other and bigger tools, see the see also section on wikipedia.

As your question is marked as asp.net I assume your server platform is windows. Still, if using linux firewall is an option you can try the above

  • put a linux firewall between WAN and your server
  • give access to the firewall machine to your IIS logs
  • write regex to analze it
  • plug it into existing templates for banning

Such firewall can be run on extremely modest hardware - think even something like linksys routers (see here) for very decent link bandwidths.


If they come from a specific IP address or address block, you may want to add a blackhole route to it:

ip ro add blackhole 10.69.96.0/24
ip ro flush cache

You can also accomplish this by using an iptables rule, but realize that iptables rules are traversed linearly, so if you start adding iptables rules for every miscreant that comes along, you can start to eat up a lot of CPU. Routing tables are optimized for handling many, many entries. For example, one of my boxes has 350K entries in it's routing table with no problem. But if I had 3K iptables rules the box would almost certainly fall over.

If you try doing something where your application sleeps for many seconds on these connections, you may end up tieing up enough resources that legitimate requests can't get any resources.

Related

How often do you restart a heavily-utilized Windows Server 2008R2 Remote Desktop Server (VM)?
Are email disclaimers valid or worthwhile? [closed]
How can I get the path to a Windows service executable WITHOUT using sc qc?
Nginx multiple location issues
How can I get clickable hyperlinks in AlertDialog from a string resource?
Can I measure the execution time of individual operations with TensorFlow?
List of Android permissions normal permissions and dangerous permissions in API 23? [duplicate]
inject bean reference into a Quartz job in Spring?
The necessity of hiding the salt for a hash
Download File Using jQuery
Can Powershell Run Commands in Parallel?
What is the best way to dump entire objects to a log in C#?