Easy way for user to tie up server resources in an ASP.NET application

S

steventhrasher42

I very likely may be missing something here, but what stops a user from
holding down the F5 key in their browser and generating hundreds of
requests to IIS and thus tying up server resources?

If session state is enabled (enableSessionState=true), all of these
requests get queued and processed one after another.

And if the user finds a particular page with poor enough performance,
say one that takes a few seconds to render, by holding down the F5 key
for a minute, he can queue up hundreds of requests and tie up the
server spiking it's cpu for an hour or even hours.

I've tested this and used the Performance Monitor to confirm this is
what goes on.

Shouldn't there be a feature of IIS or ASP.NET that allows you to limit
the number of requests per ASP.NET session so this is avoided?
 
J

Juan T. Llibre

You're right in raising this issue, Steven.

I have forwarded your (correct) concern
to the ASP.NET Dev Team.

Thanks!



Juan T. Llibre
ASP.NET MVP
===========
 
B

bruce barker

this called a denial of service attack. generally your firewall would
prevent this. tying to session means little, as an attacker would know not
to send a session cookie, forcing a new session. the inproc session manager
is vey prone to this attack, as just create new session until asp.net
recycles, losing all session data.

-- bruce (sqlwork.com)



| I very likely may be missing something here, but what stops a user from
| holding down the F5 key in their browser and generating hundreds of
| requests to IIS and thus tying up server resources?
|
| If session state is enabled (enableSessionState=true), all of these
| requests get queued and processed one after another.
|
| And if the user finds a particular page with poor enough performance,
| say one that takes a few seconds to render, by holding down the F5 key
| for a minute, he can queue up hundreds of requests and tie up the
| server spiking it's cpu for an hour or even hours.
|
| I've tested this and used the Performance Monitor to confirm this is
| what goes on.
|
| Shouldn't there be a feature of IIS or ASP.NET that allows you to limit
| the number of requests per ASP.NET session so this is avoided?
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

In Process Sessions in ASP.NET Application getting mixed up 0
In Process Sessions in ASP.NET Application getting mixed up 0
Server Application Error (event log: Failed to load resources from 0
User Certificate Mapping From IIS to asp.Net Application 0
10 Easy Steps to Speed Up Your Computer - Without Upgrading 0
What's the best way to mirror asp.net session variables acrossservers? 1
Relationship of "Requests in Application Queue" and ASP.NET application performance / stability 1
Easy Question ;-) How to render a html page in a table cell of an ASP.NET page 7

Members online

No members online now.
Total: 39 (members: 2, guests: 37)
Robots: 256

Forum statistics

Threads
473,997
Messages
2,570,240
Members
46,828
Latest member
LauraCastr

Latest Threads

Top