How to Block a HTTP Referer with Microsoft and Cisco ASA
This week I was working on a customer where their website was being bombarded by random hits coming from a referer out there on the internet.
Enabling the IIS 7 logs, we could see that the referer was www.badreferer.com (URL changed for security reasons) and the hits were in the thousands per hour which actually drove the web servers to 100% CPU, making the main site barely usable.
So how do we block a referer with Microsoft IIS7 ?
Blocking a URL Referer with Microsoft URL Rewrite
Microsoft URL Rewrite is a free add-on to Microsoft IIS7 that enables us to write specific rules to allow or block certain traffic to our website. Similar to a .htaccess file in Linux.
You can download URL Rewrite from here
1. Install Microsoft URL Rewrite. Once it is installed you will see a URL Rewrite button in the right hand side pane

2. Double click on URL Rewrite. On the top right hand corner click on Add Rule(s)…

3. Select Request Blocking and click ok

4. Under Block access based on – select Referer. Under Block request that – select Matches the Pattern. Under Pattern (Referer) – select *badreferer.com. Under Using select wildcards and under how to block, select Abort Request.

5. The URL Rewrite rule is now in place and blocking.

Blocking HTTP Referer with Cisco ASA
Here is a sample config of what I used to block the HTTP referer from a Cisco ASA
class-map URL-BLOCK-MAP
match access-list web_servers
access-list web_servers extended permit tcp any object WEB-SERVER-1 eq www
access-list web_servers extended permit tcp any object WEB-SERVER-2 eq www
regex BADREFERER “[Bb][Aa][Dd][Rr][Ee][Ff][Ee][Rr][Ee][Rr].[Cc][Oo][Mm]”
policy-map type inspect http INSPECT-HTTP
parameters
match request header referer regex BADREFERER
drop-connection log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect pptp
inspect ip-options
class choice-filter
inspect http INSPECT-HTTP
class global-class
class class-default
user-statistics accounting
service-policy global_policy global
To check that the Cisco ASA is matching the rregular expression for badreferer.com and dropping you can type:
show service-policy global inspect http
Global policy:
Service-policy: global_policy
Class-map: URL-BLOCK-MAP
Inspect: http INSPECT-HTTP, packet 21981960, drop 13465, reset-drop 26
protocol violations
packet 567
match request header referer regex BADREFERER
drop-connection log, packet 13439
If you have any technical questions about this tutorial or any other tutorials on this site, please open a new thread in the forums and the community will be able to help you out.
Disclaimer:
All the tutorials included on this site are performed in a lab environment to simulate a real world production scenario. As everything is done to provide the most accurate steps to date, we take no responsibility if you implement any of these steps in a production environment.
Be the first to comment