Best Practice for denying/killing specific URL requests ASP.Net IIS 7.5

Question

I have an mvc/forms hybrid webapplication hosted on a windows 2008 r2 instance on Azure. The webserver is IIS 7.5 . For the last 4-5 months my server is getting absolutely hammered by vulnerability scanners checking for php related vulnerabilities. example:

The controller for path '/wp-login.php' was not found or does not implement IController.

from Elmah

So I've gone in and specifically filtered .php and .cgi file extension requests in IIS 7.5 which is working great. However i am still getting hammered for requests like:

The controller for path '/admin/Cms_Wysiwyg/directive/' was not found or does not implement IController. 

The controller for path '/phpmyadmin2018/' was not found or does not implement IController.

etc. etc. It's more an annoyance as everything is logged, a 404 is returned and it's all a useless resource throwaway.

Through Elmah i've queried a distinct list of URLs related to all these requests. What is the best way to short-circuit these requests? It would be good if i could optionally ban the IP's but right now there are 700 unique IPs making these requests in the last 3 months alone. Main priority is to just short circuit the requests from the dictionary of URLs I know are bogus and avoid the logging and response from my webserver. Thanks!

Answer 1

half pseudo code, but I think it will be helpful;

in Global.asax.cs:

public class MvcApplication : HttpApplication
{
    protected void Application_BeginRequest(Object sender, EventArgs e)
    {
        var url = HttpContext.Current.Request.Url.AbsoluteUri;
        if(checkUrl(url)){
           // your code here
        }

        if (UserIsBanned(GetUserIp()))
        {
            Response.Write("ban");
            Response.End();
        }
    }

    private string GetUserIp()
    {
        return HttpContext.Current.Request.UserHostAddress;
    }