You can use URLScan as another line of defense against denial of service attacks even before requests reach ASP.NET. You do this by setting limits on the MaxAllowedContentLength , MaxUrl and MaxQueryString attributes.
To throttle the request sizes, add the following configuration to URLScan.ini:
[RequestLimits] ; The entries in this section impose limits on the length ; of allowed parts of requests reaching the server. ;MaxAllowedContentLength=2000000000 ;MaxUrl=16384 ;MaxQueryString=4096