WhiteSites Blog

asp.net http module for project honey pot http IP blacklist

Posted on Mar 31, 2008 by Paul White

Project Honey Pot
Any Honest Webmaster will tell you that Zombie computers, and Spam Bots, make a small percentage of your daily traffic.  Sometimes you end up upgrading your hosting just to accomadate what you think are real visitors when its really Spam Bots.  These Bots try to Post comments and links back to the sites they make money on.  You will probably notice in your event viewer all the failed viewstates on your login pages.  99% of the time this is from spambots.  The guys over at Project Honey Pot have started up a Blacklist of IPs with a bad History.  When I got my API key I didn't notice anyone with an ASP.NET Module so I decided to create one.

First before you get too far. 
Visit https://www.projecthoneypot.org/httpbl_api
And read up on the HTTP Blacklist, and how it works.  Then sign up for an API key.

I have included plenty of comments to help explain the code.
To use this module simply create a App_Code Folder within your root directory
Then place this code into notepad, and save as IpBlackList.cs
FTP your IpBlackList.cs to your Website's App_Code Folder
Add the HTTP Module entry to your web.config ( see below )

If you get any errors just change your Web.config, and delete the module, so your site is not down while you work out any bugs.
Let me know what you guys thinks.

///////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
// This Module was created to protect your website from roque IPs
// This Module makes a call to http://www.projecthoneypot.org's HTTP Blacklist
// You must signup for an API key at http://www.projecthoneypot.org/httpbl_api
// If the IP that is making the request matches, the user is redirected
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////

using System;
using System.Web;
using System.Net;
using System.Data;
using System.Data.Odbc;
using System.Configuration;
using System.Collections.Specialized;

namespace IpBlackListModule
{
public class IpBlackList : IHttpModule{

public IpBlackList() { }

// start up module
public void Init(HttpApplication application){
application.BeginRequest += (new EventHandler(this.Application_BeginRequest));
}

// module code
private void Application_BeginRequest(Object source, EventArgs e) {

//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
// Modify only these Variables
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////

// The URL you want to redirect bad IPs to
string redirectURL="http://www.projecthoneypot.org";

// Your Project Honey Pot API key
string ApiKey="YourAPIKeyGoesHere";

// Suspicious IPs will have a value between 0 and 255. IP must have higher value than threatValue
int threatValue=0;

// max number of days since last reported abuse
int threatDays=255;

//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////

HttpApplication app = (HttpApplication)source;
HttpContext ctext = app.Context;
// get current IP
string IPAddr = ctext.Request.ServerVariables["REMOTE_ADDR"];

string [] wordIP = IPAddr.Split(new char []{'.'});
string ipaddress=wordIP[3]+"."+wordIP[2]+"."+wordIP[1]+"."+wordIP[0];
string mydomain=ApiKey+"."+ipaddress+".dnsbl.httpbl.org";

try{
// make DNS call to HTTP:BL
IPHostEntry GetIPHost = Dns.GetHostByName(mydomain);
string responseIP="";
foreach(IPAddress ip in GetIPHost.AddressList){
responseIP = ip.ToString();
}
string [] respIP = responseIP.Split(new char []{'.'});
// if 127 then good request
int num1=Convert.ToInt32(respIP[0]);
// days since last activity
int num2=Convert.ToInt32(respIP[1]);
// threat type
int num3=Convert.ToInt32(respIP[2]);
// threat score
int num4=Convert.ToInt32(respIP[3]);

// is response valid
if(num1==127){
// has there been a report within threatDays ( days )
if(num20){
// if the threat value is greater than our min
if(num4==0){
//ignore Search Engines
}
if(num4>threatValue){
// If you have a SQL DB this is where you would
// want to Log the event
// Now Kick the Spammer
ctext.Response.Redirect(redirectURL);
}
}
}
}
}
// if the IP is not found on the blacklist then get catch the exception
catch{}
}

// Nothing to dispose
public void Dispose(){}
}
}

And Finally your web.config should look like this

<configuration>
  <system.web>
      <httpModules>
        <add name="IpBlackList" type="IpBlackListModule.IpBlackList"/>
    </httpModules>
  </system.web>
</configuration>

This should be as simple as Drag and Drop after you make a few small changes to personalize your code.

Permalink
9747 Visitors
9747 Views

Categories associated with asp.net http module for project honey pot http IP blacklist

Discussion

Simon | Jul 17, 2008 9:38 AM
I've created something very similar.

http://code.google.com/p/blacklistprotector/

See what you think
Paul White | Jul 17, 2008 2:03 PM
Simon, Its good know I am not the only person to think of this.  Even though my module worked well. I found that Project Honey Pot had a few search engines declared as bots.  Plus whenever my server could not reach Project Honey Pot for whatever reason it would essentially take my site down.  I am now running a manual list of IPs to block.  I am still a huge believer in Project Honey Pot, but until they beef up their servers to handle the loads, and get rid of the false positives, I can't afford to use their service to stop the bots. 
name
Email Needed to confirm comment, but not made public.
Website
 
 
When you Post your Comment, you'll be sent a confirmation link. Once you click this link your thoughts will be made public.. Posts that are considered spam will be deleted, Please keep your thoughts and links relavent to this Article