>I have a bot visiting us and sending a query string with only the ampersand character, on various Web sites. When those arive, ASP.NET logs Event Viewer records. I was wondering if there could be a way to disable that. The browser receives a generic ASP.NET page about the potentially dangerous path received. It would be even better if we could have a hook at the higher level to react on that. Anyone has worked around that?

I have a couple of similar situations. I don't know the answer either and I'd like to hear anyone else's experiences.

From the limited research I've done, basically, your application that's monitoring the logs has to be able to talk to your firewall and ask it to block the offending IP address(es). This is the ideal case; you don't want ANY traffic from those IPs to be able to reach anything in your environment. I don't know if it's possible to configure typical web servers to block IPs but that's not ideal; the traffic is still entering your environment and hitting your web server.

In some cases the event in the standard Windows event logs doesn't record an IP address. In that case you may have to look in other logs as well.

There is a slight danger to blocking IPs. If a sophisticated attacker knows the IP addresses of your legitimate users, they could send a bad request spoofing one of those addresses. That would cause legitimate users to be denied service.

I've Googled topics such as [how to dynamically block abusive ip]. There are a few ideas there (mostly open source) but nothing easy or simple.

This is a common problem, I can't help thinking there could be a whole industry built around addressing it but I haven't found any products yet.