Login/Register
How to prevent DoS attack in ASP.NET MVC applications?
Asked Answered
Solved asp.net-mvc-3securityddos
A

1

25

I don't want someone keep F5 my site or using some tool to request the page frequently.

That is to say, prevent an Action or the Controller to be invoked frequently by one client.

How can I implement this? Is there any package I can use? just like AntiXSS library.

Arther answered 4/8, 2012 at 3:33 Comment(4)
You could only allow the user to make an HTTP request every 5 seconds. StackOverflow only allows you to do certain things every x amount of time to save their bandwidth.Citreous
related: Best way to implement request throttling in ASP.NET MVC?Aun
@AlexW SO does throttling, but that is not enough to prevent DOS attacks as it is based on ip address, which can be changed a million times in second, obviously not by me but by a hackerAllotrope
It isn't an anti-xss what are you looking for. You need a DoS protection library. See this answer: https://mcmap.net/q/539797/-how-to-restrict-dos-attack-with-web-apiLetha
C
18

Most of these features are going to be found in the IIS manager. Something like Dynamic IP Restrictions should help. Read through Microsoft's Best Practices for Preventing DoS/Denial of Service Attacks, this provides a good list of thing to do.

Also according to this video, Cloud Flare is able to prevent these attacks with their free service.

Champlain answered 4/8, 2012 at 8:29 Comment(2)
Does the Dynamic IP Restriction work in a load balanced, stateless, web farm? It doesn't look like it based on the description I read. What I mean is does the module track requests for an IP across multiple machines, or just the local machine?Reggiereggis
It's not sufficient to limit the requests by ip in a general way. If there is a heavy function, an attacker can use the general defined limit by IP, to make N requests to tha heavy function, to take down the server. You need to specify a limit at function level. See this answer (API Protector .NET library): https://mcmap.net/q/539797/-how-to-restrict-dos-attack-with-web-apiLetha

© 2022 - 2024 — McMap. All rights reserved.