How to drop/discard a Request in ASP.NET?

Question

I'm trying to figure out how to drop/discard a request, I'm basically trying to implement a blocked list of IPs in my app to block spammers and I don't want to return any response (just ignore the request), is this possible in ASP.NET?

Edit: Some of the answers suggest that I could add them in the firewall, while this will certainly be better it's not suitable in my case. To make a long story short, I'm adding a moderation section to my website where moderators will check the posts awaiting moderation for spam (filtered by a spam fitler), I want the IP of the sender of some post to be added to the list of blocked IPs once a post is marked as spam by the moderator, this is why I wan to do it in the application.

Edit: Calling Response.End() returns a response to the user (even though it's empty), the whole purpose of my question was how not to return any response. Is this possible (even out of curiosity)? There's also Response.Close() which closes the socket but it sends notification (in TCP/IP) when it does this, I just wan to ignore as it if was never received (i.e. send nothing to the user)

Thanks

Answer 1

In ASP.NET Core call HttpContext.Abort() which simply closes the connection.

Answer 2

Here you go:

public class RequestDropper : IHttpModule
{
    public void Dispose()
    {
        throw new NotImplementedException();
    }

    public void Init(HttpApplication context)
    {
        context.BeginRequest += Context_BeginRequest;
    }

    public void Context_BeginRequest(object sender, EventArgs e)
    {
        var request = ((HttpApplication)sender).Context.Request;

        if (todayIAmNotInAMoodToProcessRequests)
        {
            request.Abort();
        }
    }
}

Hope this saves you some time

Answer 3

AFAIK there is no way to outright drop a request without a response. You can keep the request spinning in ASP.NET with whatever thread sleeping technique you like but you're not making life better for your server that way.

The best way that I know of to achieve what you want is having a traffic manager like ZXTM close the request before it gets to the webserver at all.

Answer 4

An other annoying but easy way to do it would be to Sleep the request for a discouraging amount of time before closing it.

Answer 5

You may want to have a look at this http://www.angrypets.com/tools/rdos/, which does a similar thing to what you are talking about, for similar reasons, and is implemented as a module.

Answer 6

I would suggest the best solution is not to give a specific "no response" but to give a more discouraging standard http error message. Whenever I am attempting to discourage unauthorised users I issue a page/url not found message as follows:

throw new HttpException(404, "File not found - " + Request.AppRelativeCurrentExecutionFilePath);

I think that this is very effective at convincing the person at the other end to give up and go away.

Answer 7

EDIT: This might be better implemented as an HTTPModule instead of a handler, but the basic idea holds true. See http://www.kowitz.net/archive/2006/03/08/ihttpmodule-vs-ihttphandler.aspx for more details

---

You could probably do this using an httphandler, that way you won't have to worry about checking for this in your application code - its handled before your application is even executed.

Psudo code - not tested

class IgnoreHandler : IHttpHandler
{
    #region IHttpHandler Members

    public bool IsReusable
    {
        get { return true; }
    }

    public void ProcessRequest(HttpContext context)
    {
        context.Response.Clear();
        context.Response.StatusCode = 401;
        context.Response.Status = "Unauthorized";
        context.Response.End();
    }

    #endregion
}

Obviously, if you want it to return HTTP 200 (OK) and a blank page, just remove the two lines referring to the StatusCode and Status.

And then register it in web.config

<httpHandlers>
    <add verb="*" 
         path="*" 
         validate="false" 
         type="MyNamespace.IgnoreHandler, MyAssembly" />
</httpHandlers>

Answer 8

For this type of thing, I would go with an HTTP Module as opposed to doing this with a handler or a page.

Why use a module instead of a handler? An HTTP Module is called earlier in the request pipeline. For these type of blacklisted requests, you want to drop the request as early and fast as possible. This means the earlier in the request you can drop the request, the better.

You can read a little more about Modules vs Handlers here.

Answer 9

My first thought was what John suggested. The most ideal solution would be to add those IPs to the list of blocked IPs in your firewall if you have access to it, that way your application isn't having to do any processing at all.

Answer 10

Maybe you could use

Response.Clear();
Response.End();