home links tools blog about

reverse dos faq



Referrer Spammers
Comment Spammers


Q. Why did you build ReverseDOS?
A. World Domination.

Q. No really, why?
A. A couple of reasons:
1) Because the idea is pretty cool. Using your webserver to 'reverse' attack malicious requests has a certain 'Angry' appeal to it.
2) I REALLY hate referrer spammers. Any thing I can do to screw with their utter IDIOCY, is well worth the effort.
3) Same goes for comment spammers.
4) I love ASP.NET, and HttpModules. This was actually a really fun project to build, document, and offer.
5) Hopefully my idea for filtering content BEFORE it makes its way through the pipeline will catch on. A number of bright people out there are working very hard to scrub spam from referrers and comments AFTER the fact. Ultimately I'd like to see the connection simply refused when any crap spam comes along. Maybe if my idea of denying spam up front catches on well enough, somebody smarter than me will write an ISAPI filter that works pretty much like ReverseDOS, but instead of issuing HTTP 403 Responses, simply ignores the connection attempt. (And the good news: It looks like IIS7 will make this idea possible - which I can't wait to pull off if it's the case.)

Q. ReverseDOS and '3rd Party' ASP.NET components?
A. If you are using '3rd Party' components like .Text, Telligent's Community Server, Dozing Dogs, nGallery, dotNetNuke, SingleUserBlog, etc. there's no need to worry about them interacting with ReverseDOS. (Even CAPTCHAs implemented as HTTPHandlers will work fine). ReverseDOS is just an HttpModule, so it will work fine with your existing ASP.NET site/components. (i.e. it's not a question of "either or.") If you notice any problems with interaction, just let me know.
Also, make SURE that you put the AngryPets.Web.Frameworks.ReverseDOS.dll into your bin directory for any virtual directories, or you'll have problems.

Q. What about Google's EVIL web accelerator Proxy (The Google Web Accelerator)? Will ReverseDOS block that as well?
A. ReverseDOS 1.x did. ReverseDOS 2.0 does NOT. If you'd like to block the Google Web Accelerator, just grab the GoogleProxyBlocker from my site.


Q. I have a copy of ReverseDOS 2.1. Does it have problems?
A. Sadly, yes. A few days after releasing it I found, to my everlasting shame, that it had some pretty big problems. I immediately pulled it, but since I don't collect email addresses from people who download, I had no way to notify people who had downloaded. My appologies.
For a discussion of some of the problems: see my blog.
To fix those problems, upgrade to version 2.8 immediately.

Referrer Spammers

Q. I post referrers on my ASP.NET site. How can ReverseDOS help me keep things 'clean'?
A. Well, the good news is that ReverseDOS is right up in the front of the ASP.NET pipeline. It will detect and snuff referrer spam before it has a chance to make it in to the rest of the pipeline. So, unless you are using your log files, ReverseDOS will snuff referrer spam before your site writes the referrer to disk/database/whatever.

Q. My Analytics package uses log files to generate reports, does ReverseDOS keep referrer spam out of my logs?
A. ReverseDOS is just an HttpModule -- it can't really effect logging (which takes place in IIS). So, ReverseDOS may block referrer spammers with a 404, or a 403, etc response code, but the request is still logged. That being said, my analytics package uses log files as well -- but because it doesn't track hits that show up as errors (except in the 'errors' section), throwing a 403 works PERFECTLY, and has worked in two ways: 1) Referrer spamers have apparently noticed that they are getting 403-ed on my site, so all but the reaaaally dumb ones have stopped trying, 2) Those that remain are hit with a 403, so they don't end up being listed in the section of my stats that shows referers to the site, they're lumped down with 404s, 500s, and 403 errors.
The KILLER thing to do though, would be to just REFUSE a connection when it was detected as being a request that was just referrer spam. I don't have the time or the patience to do that via an ISAPI filter (somebody may), but it looks like IIS7 will allow me to do that through ASP.NET -- which will really put an end to referrer spam, period.

Comment Spammers

Q. I've already got a CAPTCHA in place, can I still run ReverseDOS?
A. Sure. Between ReverseDOS and your CAPTCHA you'll stop comment spam dead. As you get better at determining what kind of content is being spammed, and creating effective filters against it, you'll be able to remove the CAPTCHA as all it will be doing is stopping your grandma from posting to your blog (ReverseDOS will handle the spammers).

Q. I filter comments out with complex SQL queries... what's the benefit to switching to ReverseDOS?
A. Hey, I _love_ SQL. But why filter comments out AFTER they've been added to your database? Just block them from ever being written to your DB by setting up filters that catch the spam, and DENY it.


Q. Isn't filtering all these requests expensive?
A. No. Filtering is virtually undetectable. To test I ran the Web Stress Tool against my localhost without ReverseDOS wired up as an HTTP Module. I was able to do an average of 178.5 pages/second. Then I wired up ReverseDOS, and had it look for 25 patterns that I knew it wouldn't match in the requests. Result: 177.5 pages/second. I tested a number of times, and while the number of pages/second shifted a bit, ReverseDOS was always less than one page/second of a perf hit (a few times the ReverseDOS served pages actually came back faster).
UPDATED:ReverseDOS 2.8 actually filters quite a bit faster. See my blog for some details.


Q. What's next for ReverseDOS?
A. ReverseDOS 3.0 will come along soon. It will add functionality that lets you suck in the MT Blacklist and treat it as one GIGANTIC filter to help protect your site. The ReverseDOS.config will let you specify how many hours to keep ahold on that definition before reloading it. It will also allow you to suck in other blaclists (assuming text only) as well.


Q. How do I configure ReverseDOS to be able to watch for .exe requesets?
A. ReverseDOS filters against all requests sent in to the ASP.NET pipeline. If you want to filter against MIME types that aren't already served by ASP.NET, you'll just have to instruct IIS to send them through the ASP.NET ISAPI filter. I've provided a step by step set of instructions on how to do this in the Configuration page (down at the bottom of the page).

Q. I installed ReverseDOS as instructed, and now sections of my site won't work?
A. Those sections of your site are likely virtual directories. Just make sure you drop the AngryPets.Web.Frameworks.ReverseDOS.dll into the /bin/ directory for all of you virtual directories as well. Also, even if you don't WANT the ReverseDOS HttpModule to operate in those virtual directories, you'll have to add the .dll into the .bin, otherwise ASP.NET will throw errors (this is a problem with ASP.NET, not with ReverseDOS).