Microsoft IIS URL Rewrite Cisco ASA Block HTTP Referer

Shares

How to Block a HTTP Referer with Microsoft and Cisco ASA

This week I was working on a customer where their website was being bombarded by random hits coming from a referer out there on the internet.

Enabling the IIS 7 logs, we could see that the referer was www.badreferer.com (URL changed for security reasons) and the hits were in the thousands per hour which actually drove the web servers to 100% CPU, making the main site barely usable.

So how do we block a referer with Microsoft IIS7 ?

Blocking a URL Referer with Microsoft URL Rewrite

Microsoft URL Rewrite is a free add-on to Microsoft IIS7 that enables us to write specific rules to allow or block certain traffic to our website. Similar to a .htaccess file in Linux.

You can download URL Rewrite from here

1. Install Microsoft URL Rewrite. Once it is installed you will see a URL Rewrite button in the right hand side pane


Microsoft URL Rewrite

2. Double click on URL Rewrite. On the top right hand corner click on Add Rule(s)…


Microsoft URL Rewrite

3. Select Request Blocking and click ok


Microsoft URL Rewrite

4. Under Block access based on – select Referer. Under Block request that – select Matches the Pattern. Under Pattern (Referer) – select *badreferer.com. Under Using select wildcards and under how to block, select Abort Request.


Microsoft URL Rewrite

5. The URL Rewrite rule is now in place and blocking.


Microsoft URL Rewrite

Blocking HTTP Referer with Cisco ASA

Here is a sample config of what I used to block the HTTP referer from a Cisco ASA

class-map URL-BLOCK-MAP
match access-list web_servers

access-list web_servers extended permit tcp any object WEB-SERVER-1 eq www
access-list web_servers extended permit tcp any object WEB-SERVER-2 eq www

regex BADREFERER “[Bb][Aa][Dd][Rr][Ee][Ff][Ee][Rr][Ee][Rr].[Cc][Oo][Mm]”

policy-map type inspect http INSPECT-HTTP
parameters
match request header referer regex BADREFERER
drop-connection log

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect pptp
inspect ip-options
class choice-filter
inspect http INSPECT-HTTP
class global-class
class class-default
user-statistics accounting

service-policy global_policy global

To check that the Cisco ASA is matching the rregular expression for badreferer.com and dropping you can type:

show service-policy global inspect http

Global policy:
Service-policy: global_policy
Class-map: URL-BLOCK-MAP
Inspect: http INSPECT-HTTP, packet 21981960, drop 13465, reset-drop 26
protocol violations
packet 567
match request header referer regex BADREFERER
drop-connection log, packet 13439

If you have any technical questions about this tutorial or any other tutorials on this site, please open a new thread in the forums and the community will be able to help you out.

Disclaimer:
All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.