.Net Engineer Pro Tools

Pro Tools

Windows Pro Tips
-----------------
powertoys - https://apps.microsoft.com/store/detail/microsoft-powertoys/XP89DCGQ3K6VLD
devtoys - https://apps.microsoft.com/store/detail/devtoys/9PGCV4V3BK4W

Visual Studio 2022 Pro Tips
---------------------------
vscoloroutput - https://marketplace.visualstudio.com/items?itemName=MikeWard-AnnArbor.VSColorOutput
solutionColor - https://marketplace.visualstudio.com/items?itemName=Wumpf.SolutionColor
save vs settings to apply to other computer - https://learn.microsoft.com/en-us/visualstudio/install/import-export-installation-configurations?view=vs-2022

Podcasts
--------
Dev interrupted
Hacking Humans
Cyber Security Headlines
Click Here
Malicious Life
The Stack Overflow Podcast
The Backend Engineering (with Hussein Nasser)
The Changelog: Software Development, Open Source
Tech Stuff
Cyberwire Daily
Techmeme Ride Home
Soft Skills Engineering
Syntax - Tasty Web Development Treats
Cyber Security Today
Software Engineering Daily
Developer Tea
Coding Blocks .NET
The Cloud Cast
JS Party: Javascript, CSS, Web Development
Go Time: Golang, Software Engineering
Cyber
Dev Questions with Tim Corey
Thoughtworks Technology Podcast
.NET Rocks!
Smashing Security
Hanselminutes with Scott Hanselman
Software Engineering
Talk Python To Me
Security Now
Darknet Diaries
Hacked
The .NET Core Podcast
The .NET MAUI Podcast
Kubernetes Podcast from Google
Adventures in .NET
Coding After Work 
Base.cs Podcast
The Static Void Podcast

Tools
------
couchbase
honeycomb.io/changelog
firehydrant
logrocket
playwright
openmct
thundra.io
raygun
fly.io
appwrite
sentry.io
https://sourcegraph.com/
https://www.kolide.com/
https://entity.services/
WeekPlan

Docker Extensions
------------------
Ddosify - High-performance load testing tool 
  - https://github.com/ddosify/ddosify
BurpSuite
  - https://portswigger.net/burp
  - https://danaepp.com/
  
VS Tips
--------
Extract method from selected code 
  - Ctrl + R + M
Ctrl + K + D
Ctrl + R + G
Ctrl + M + Z (Code Maid)

Important
----------
ApplicationInsights SamplingSettings for AzFn
  - https://learn.microsoft.com/en-us/azure/azure-functions/functions-host-json
Design Patterns in C#
  - https://www.dofactory.com/net/factory-method-design-pattern
  - https://github.com/DovAmir/awesome-design-patterns?utm_source=programmingdigest&utm_medium&utm_campaign=1493
Shopify Query
  - https://shopify.engineering/reducing-bigquery-costs?utm_source=programmingdigest&utm_medium&utm_campaign=1403
Building Own Operating System
  - https://o-oconnell.github.io/2023/01/12/p1os.html?utm_source=programmingdigest&utm_medium&utm_campaign=1493
Debugging Linq
  - https://www.red-gate.com/simple-talk/development/dotnet-development/linq-secrets-revealed-chaining-and-debugging/
  --> https://michaelscodingspot.com/debug-linq-in-csharp/
Bleeping Computer
  - https://www.bleepingcomputer.com/
  
Utilities
---------
Handle v5.0
  - https://learn.microsoft.com/en-us/sysinternals/downloads/handle?WT.mc_id=DT-MVP-5003978
Auto Increment Build #
  - https://stackoverflow.com/questions/826777/how-to-have-an-auto-incrementing-version-number-visual-studio
  
Phylosophy
----------
1. Do I have to have a "purpose" to have an address in the USA?
  - if yes, then as a Human being I must have a purpose? Seriously? Ok, a purpose to whom? To whom must I state my pupose or execute or report to about...???
2. System Failure - Zero Day Exploit
3. Good PR example - https://github.com/dotnet/aspnetcore/pull/45587/files
 
App Insights Log Queries
------------------------
availabilityResults
| where timestamp > datetime("2022-12-19T04:07:00.000Z") and timestamp < datetime("2022-12-20T04:07:00.000Z") 
| where customDimensions["WebtestArmResourceName"] == "availability-test-1-app-notepad-physical-activity-dev-eastus"
| where true and true
| extend percentage = toint(success) * 100
| summarize avg(percentage) by bin(timestamp, 1h)
| render timechart
******************************************************************
 
 
 
 
 
 
 
 
 

What you’re seeing is normal internet “background radiation”: bots trawling every public site for WordPress/PHP holes (/wp-admin/*, random *.php, xmlrpc.php, etc.). Since your app isn’t PHP, they’re just probing. 46 requests in 24 hours is not a DDoS—a real DoS is usually thousands+ per minute—but you’re right to stop it from ever touching your app.

Here’s the clean playbook (Azure-native), in the order that actually reduces load.

1) Stop it at the edge (best ROI): Azure Front Door Premium + WAF

Front Door (Std/Premium) + WAF is what you want if your goal is “don’t let garbage reach my App Service.”

WAF rules to add (immediately)

Custom “Block PHP/WordPress scans” rule:

• Block if URL path ends with .php

• Block if URL path contains:

  • /wp-admin
  • /wp-content
  • /wp-includes
  • /xmlrpc.php

Rate limit rule (basic bot throttling):

• If a single IP hits you more than (example) 100 requests in 1 minute, block for 5–10 minutes.

This removes noise before your app even sees it.

2) Prevent bypass: lock down the App Service origin

Once Front Door is in place, make sure attackers cannot hit your App Service URL directly.

In App Service → Networking → Access Restrictions:

• Allow the AzureFrontDoor.Backend service tag (Front Door to origin)
• Deny all else

That forces all traffic through WAF.

3) Don’t use APIM just to block bots

API Management is not the right tool for random internet scans.

• Use APIM when you want: API products, subscriptions, quotas for real clients, versioning, developer portal, etc.
• For bot junk and path probing: WAF is the tool.

(You can rate-limit in APIM, but you’ll pay more and the junk still has a chance to reach the gateway.)

4) Quick app-side safety net (so even without WAF you’re fine)

Add a tiny middleware early in the pipeline to short-circuit obvious garbage fast (no auth, no DB, no logging spam):

app.Use(async (ctx, next) =>
{
    var p = ctx.Request.Path.Value ?? "";

    if (p.EndsWith(".php", StringComparison.OrdinalIgnoreCase) ||
        p.StartsWith("/wp-", StringComparison.OrdinalIgnoreCase) ||
        p.Contains("/wp-admin", StringComparison.OrdinalIgnoreCase) ||
        p.Contains("/wp-content", StringComparison.OrdinalIgnoreCase) ||
        p.Contains("/wp-includes", StringComparison.OrdinalIgnoreCase) ||
        p.EndsWith("/xmlrpc.php", StringComparison.OrdinalIgnoreCase))
    {
        ctx.Response.StatusCode = StatusCodes.Status404NotFound;
        return;
    }

    await next();
});

Even if you later add Front Door/WAF, this keeps your origin resilient.

5) Fix robots.txt returning 400

A 400 for /robots.txt is unnecessary noise. Just serve a static robots.txt and return 200:

wwwroot/robots.txt

User-agent: *
Disallow:

Or if you want to discourage crawling:

User-agent: *
Disallow: /

6) Prove whether it’s actually “load” (App Insights check)

Run a quick KQL to see if these are cheap 404s or expensive requests:

requests
| where timestamp > ago(24h)
| where url has ".php" or url has "/wp-"
| summarize count(), avg(duration), max(duration) by resultCode, client_CountryOrRegion, client_IP
| order by count_ desc

If duration is tiny and counts are low, it’s noise. If duration is high, your app pipeline is doing too much before rejecting—then the middleware above matters a lot.

---

Bottom line

• This is bot scanning, not a real DoS.
• The “adult” solution is Front Door Premium + WAF + lock down origin.
• APIM is optional and usually not the fix for this problem.

If you tell me what you’re hosting on (Azure App Service? Container Apps? AKS?) and whether you already have Front Door/Cloudflare, I’ll give you the exact click-path + the exact WAF rule patterns to paste in.