mchagala: I understand what you mean now. It's some hacker appending malicious query strings to the end of valid URLs.
As jwendl mentioned, BE isn't processing this type of query string parameter. It's just ignored. If BE was taking that value and doing something such as creating a comment with the contents of that query string value, that would be a problem.
But BE doesn't do anything with that value ... it's not looking for any special value there.
I do see a difference though between loading the page in IIS6 vs IIS7. For example, if you append that value to the URL of a post on my blog (IIS6):
... versus, appending it to a post where the server is IIS7 (borrowing one of your URLs Ruslan, should be safe!)
With IIS7, the page loads instantly. With IIS6, it goes on for about 30 seconds or more, and finally times out (connection reset at the server). I'm not actually sure if the reason for this difference is IIS6 vs IIS7, or some other factor.
But if I append a different value (more innocent) to my same IIS6 server post:
This loads instantly. So perhaps we could look at rejecting these types of URLs, since it's typically not good that a server is taking 30+ seconds to respond. I'm not sure offhand what's happening during that 30 seconds. And I'll have
to see if the request is hung up during that 30 second period within BE, or if it's hung up at IIS -- probably it's hung up within BE.
mchagala: Btw, is your server running IIS6 or IIS7? And what happens when you access your blog post with that URL ... do you get the long delay like what I see on my blog (allben.net), or does it load quickly?