tags:

views:

68

answers:

1
+1  Q: 

Most efficient way to terminate an ASPX web request.

I am writing some application logic which can recognize malformed or malicious http post data requests made to an IIS 5 aspx page. What is the most efficient way to terminate a bad request?

At the point where a bad request is identified there will be no buffered output and the C# function exit stack is shallow.

My hunch at the moment is that the additional turmoil of response.End() together with its thread terminate exception, might be more disruptive in a DOS attack situation than a regular 204 "no content" response.

To put some perspective on what my site is doing, all aspx hits result in DB query activity of say 10ms to 300ms, so responding to a malformed request as a regular 204 reply in 0.5ms represents a large saving.

A: 

I would make a custom IHttpModule and have it pre-process all aspx (or any other filetypes you want).

If your not familiar with IHttpModule they contain methods like OnBeginRequest OnError etc. You register them in your web.config file. You can easily have a custom ones that runs at the very begining of the request and have it look for naughty bits.

http://msdn.microsoft.com/en-us/library/ms227673.aspx

ryber  2009-09-08 12:36:19
Ok, interesting I thought plumbing in a C# IIS request pipeline handler was something new in II7. (I am stuck with Windows 2003 on an Amazon EC2 VM instance). Anyhow I can see the advantage of a common interception security point but this still leaves the question about how to terminate a bad request efficiently? Request.Close() zaps the underlying socket.
 2009-09-08 12:47:56
If you concerned with the overhead of close then just redirect the request to a dead-end static html page.
ryber  2009-09-08 18:17:40
@ryber "just redirect the request to a dead-end static html page". Ooo no, response.Redirect() triggers an exception which is the last thing I want to do during a suspect DOS attack.
 2009-09-08 18:49:46
What exception? According to the documentation it only throws a HttpException if the headers had already been sent. If it's being called from a IHttpModule before the rest of your app gets a hold of the request then it should be perfectly fine.
ryber  2009-09-08 20:45:37
@ryber Thanks for the clarification. I was referring to thread abort exceptions which can cause IIS to wobble when thrown at high frequency. But good news if these do not trigger from an IHttpModule.
 2009-09-09 01:19:04

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps