IIS "IP Address and Domain Restrictions" deny entry not blocking requests that return a status of 400

Question

My web server is Windows Server 2012 R2 Standard with IIS 8.5.

I have been consistently receiving errors from a specific range of ip addresses. The errors are "A potentially dangerous Request.Path value was detected from the client." (the http status code is 400). In response, I added ip address deny entries for these ip addresses. I first added the deny entries to the specific website, but continued to receive errors from the ip address. I then moved the deny entries to the application file and still received the errors.

At this point, I assumed something else was going on, so I setup a deny entry for a local machine. On a regular http request, I received a 403, but when I make a "Bad request" (status 400), I receive the 400 status instead of the 403.

This link to Microsoft documentation describes a 400 status as:

The Http.sys file blocks IIS 7.0, IIS 7.5, and IIS 8.0 from processing the request because of a problem in the request.

And this link shows that the Http.sys is the first step when receiving a request.

I have some questions though.

1) I couldn't find where in the process a 403 gets handled. I'm now assuming this occurs after the 400, but I'm not sure.

2) The second link above (Introduction to IIS Architectures) also states:

On startup, WAS reads certain information from the ApplicationHost.config file, and passes that information to listener adapters on the server. Listener adapters are components that establish communication between WAS and protocol listeners, such as HTTP.sys. Once listener adapters receive configuration information, they configure their related protocol listeners and prepare the listeners to listen for requests.

This would lead me to believe that Http.sys would pull in the deny entries from the application.config file and block requests.

Anyway, to me the deny request would seem to come first, but that's obviously not the case (unless I have something setup wrong).

Any thoughts or links that would clear up my ignorance about the situation?

Answer 1

I recently tried to use the IP Address and Domain Restrictions feature in IIS 8.5 to block certain IP addresses from accessing a web site, and I ran into the same issue you are describing on a similar server setup. In my case, IIS may have been blocking valid web requests from the IP addresses I listed, but I was still seeing bad requests (400 errors) show up in my logs, which meant the requests were getting through IIS to ASP.NET. I'm not sure why IIS 8.5 was not blocking the bad requests. This behavior was especially confusing to me since I feel like earlier versions of IIS did block all requests.

I wish I had a better answer for why IIS 8.5 behaves this way, but an alternative solution to this problem is to use Windows Firewall to block the problem IP addresses. You can add a custom rule to block TCP traffic from reaching your web server for specific IP addresses or a range. One benefit of this approach is that you can update the list without causing an Application Pool recycle, which occurs when you update the allow/deny rules in IIS.

To add the firewall rule, you can use wf.msc. You should update the Inbound Rules by adding a Custom Rule to block TCP traffic on local ports 80 and 443 (or whichever ports your web server runs on) from the desired IP addresses. It's also a good idea to first test the rule on a non production server to make sure you are setting up the rule properly.