ASP.NET has the following features to help counteract denial of service attacks aimed at your ASP.NET applications:
POST requests are constrained by default to 4 megabytes (MB).
Clients are checked to ensure that they are still connected before requests are queued for work. This is done in case an attacker sends multiple requests and then disconnects them.
Request execution times out after a configurable limit.
Configuration values are maintained on the <httpRuntime> element in Machine.config. The following code sample shows default settings from a version 1.1 Machine.config:
<httpRuntime executionTimeout="90" maxRequestLength="4096" useFullyQualifiedRedirectUrl="false" minFreeThreads="8" minLocalRequestFreeThreads="4" appRequestQueueLimit="100" enableVersionHeader="true"/>
You might want to reduce the maxRequestLength attribute to prevent users from uploading very large files. The maximum allowed value is 4 MB. In the Open Hack competition, the maxRequestLength was constrained to 1/2 MB as shown in the following example:
<system.web> <!-- 1/2 MB Max POST length --> <httpRuntime maxRequestLength="512"/> </system.web>
Note | ASP.NET does not address packet-level attacks. You must address this by hardening the TCP/IP stack. For more information about configuring the TCP/IP stack, see "How To: Harden the TCP/IP Stack" in the "How To" section of this guide. |