asp.net http module for project honey pot http IP blacklist

Posted on Mar 31, 2008 by Paul White

Any Honest Webmaster will tell you that Zombie computers, and Spam Bots, make a small percentage of your daily traffic. Sometimes you end up upgrading your hosting just to accomadate what you think are real visitors when its really Spam Bots. These Bots try to Post comments and links back to the sites they make money on. You will probably notice in your event viewer all the failed viewstates on your login pages. 99% of the time this is from spambots. The guys over at Project Honey Pot have started up a Blacklist of IPs with a bad History. When I got my API key I didn't notice anyone with an ASP.NET Module so I decided to create one.

First before you get too far.
Visit https://www.projecthoneypot.org/httpbl_api
And read up on the HTTP Blacklist, and how it works. Then sign up for an API key.

I have included plenty of comments to help explain the code.
To use this module simply create a App_Code Folder within your root directory
Then place this code into notepad, and save as IpBlackList.cs
FTP your IpBlackList.cs to your Website's App_Code Folder
Add the HTTP Module entry to your web.config ( see below )

If you get any errors just change your Web.config, and delete the module, so your site is not down while you work out any bugs.
Let me know what you guys thinks.

///////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
// This Module was created to protect your website from roque IPs
// This Module makes a call to http://www.projecthoneypot.org's HTTP Blacklist
// You must signup for an API key at http://www.projecthoneypot.org/httpbl_api
// If the IP that is making the request matches, the user is redirected
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////

using System;
using System.Web;
using System.Net;
using System.Data;
using System.Data.Odbc;
using System.Configuration;
using System.Collections.Specialized;

namespace IpBlackListModule
{
public class IpBlackList : IHttpModule{

	public IpBlackList() { }
	
	// start up module
	public void Init(HttpApplication application){
 		application.BeginRequest += (new EventHandler(this.Application_BeginRequest));
 	}
	
	// module code
	private void Application_BeginRequest(Object source, EventArgs e) {
		
		//////////////////////////////////////////////////////////////////
		//////////////////////////////////////////////////////////////////
		// Modify only these Variables
		//////////////////////////////////////////////////////////////////
		//////////////////////////////////////////////////////////////////
		
		// The URL you want to redirect bad IPs to
		string redirectURL="http://www.projecthoneypot.org";
		
		// Your Project Honey Pot API key
		string ApiKey="YourAPIKeyGoesHere";
	
		// Suspicious IPs will have a value between 0 and 255. IP must have higher value than threatValue
		int threatValue=0;
		
		// max number of days since last reported abuse
		int threatDays=255;
		
		//////////////////////////////////////////////////////////////////
		//////////////////////////////////////////////////////////////////
		
 		HttpApplication app = (HttpApplication)source;
 		HttpContext ctext = app.Context;
		// get current IP
		string IPAddr = ctext.Request.ServerVariables["REMOTE_ADDR"];
		
		string [] wordIP = IPAddr.Split(new char []{'.'});
		string ipaddress=wordIP[3]+"."+wordIP[2]+"."+wordIP[1]+"."+wordIP[0];
		string mydomain=ApiKey+"."+ipaddress+".dnsbl.httpbl.org";
		
		try{
			// make DNS call to HTTP:BL 
			IPHostEntry GetIPHost = Dns.GetHostByName(mydomain);
			string responseIP="";
			foreach(IPAddress ip in GetIPHost.AddressList){
				responseIP = ip.ToString();
			}
			string [] respIP = responseIP.Split(new char []{'.'});
			// if 127 then good request
			int num1=Convert.ToInt32(respIP[0]);
			// days since last activity
			int num2=Convert.ToInt32(respIP[1]);
			// threat type
			int num3=Convert.ToInt32(respIP[2]);
			// threat score
			int num4=Convert.ToInt32(respIP[3]);
			
			// is response valid
			if(num1==127){
				// has there been a report within threatDays ( days )
				if(num20){
						// if the threat value is greater than our min
						if(num4==0){
							//ignore Search Engines
						}
						if(num4>threatValue){
							// If you have a SQL DB this is where you would
							// want to Log the event
							// Now Kick the Spammer
							ctext.Response.Redirect(redirectURL);
						}
					}
				}
			}
		}
		// if the IP is not found on the blacklist then get catch the exception
		catch{}
 	}
	
	// Nothing to dispose
  	public void Dispose(){}
}
}

And Finally your web.config should look like this

<configuration>
  <system.web>
      <httpModules>
        <add name="IpBlackList" type="IpBlackListModule.IpBlackList"/>
    </httpModules>
  </system.web>
</configuration>

This should be as simple as Drag and Drop after you make a few small changes to personalize your code.

Permalink

9484 Visitors

9484 Views

Categories associated with asp.net http module for project honey pot http IP blacklist

Websites

Programming

ASP.NET

Operating Systems

Windows Server 2003

Security

Discussion

Simon | Jul 17, 2008 9:38 AM
I've created something very similar.

http://code.google.com/p/blacklistprotector/

See what you think

Paul White | Jul 17, 2008 2:03 PM
Simon, Its good know I am not the only person to think of this. Even though my module worked well. I found that Project Honey Pot had a few search engines declared as bots. Plus whenever my server could not reach Project Honey Pot for whatever reason it would essentially take my site down. I am now running a manual list of IPs to block. I am still a huge believer in Project Honey Pot, but until they beef up their servers to handle the loads, and get rid of the false positives, I can't afford to use their service to stop the bots.

name
Email	Needed to confirm comment, but not made public.
Website