franklin_dematto - 9:05 pm on Apr 4, 2003 (gmt 0)

Gary,

What type of attacks are you trying to block? If the attack is a targeted attack at a dynamic page/form on your server, blocking based on Referer won't really help. Most tools that attackers use will get it right by default (don't forget that a browser is the easiest way to perform most of these attacks), and the attackers that are capable of coding their own exploit are certainly capable of including that header.

If the attack is not targeted, but is a scan or worm attacking IIS, checking Referer's won't help - IIS will process the request before it even hits your check.

Are you using canned ASP or CGI pages that you feel may have some insecurities which are being exploited en masse? This is the only scenario in which I see Referrer checking being of any use - and even then, it would be quite limited. The way to secure a site is to secure it (!), not to try to thinly hide its vulnerabilities - the disguise won't last very long.

Make sure your core IIS is secure - up to patch, minimal functionality (this is a key!), strong privilleges, and URL lockdown. Make sure all your ASP's and CGI's etc use secure practices (not trusting user input, filtering all external data, etc.) and have been audited. If you eliminate the insecurities, there is no need for surface annoyances.

Note: Referrer checking can be very useful to stop certain types of cross-site scripting attacks (XSS), if that is what you are afraid of. These don't target your server directly, they target users who are currently logged in to your server.