I'm looking for a good and inexpensive way to prevent denial of service attacks on my ASP.NET MVC site.
I've been thinking about a solution that intercepts the HttpHandler and then counts requests in the Cache object, with the key being something like "RequestCount_[IpAddressOfRequestClient]" but that seems like it would generate a crazy overhead.
Any ideas would be greatly appreciated. Thank you!
You might consider trying to throttle the requests. Identify users by IP and/or cookie and limit requests to (say) 1 every two seconds. A human wouldn't notice, but this would slow down a bot considerably.
This helps at the application level (protects your app/database) but it's not a complete solution, as the hits are still coming at the network level.
As a front line of defense I would probably depend on hardware. Many ISPs offer some protection, eg: http://www.softlayer.com/facilities_network_n2.html