24

I don't want someone keep F5 my site or using some tool to request the page frequently.

That is to say, prevent an Action or the Controller to be invoked frequently by one client.

How can I implement this? Is there any package I can use? just like AntiXSS library.

Sam
  • 7,252
  • 16
  • 46
  • 65
Edi Wang
  • 3,547
  • 6
  • 33
  • 51
  • 2
    You could only allow the user to make an HTTP request every 5 seconds. StackOverflow only allows you to do certain things every x amount of time to save their bandwidth. – Alex W Aug 04 '12 at 04:11
  • 1
    related: [Best way to implement request throttling in ASP.NET MVC?](http://stackoverflow.com/questions/33969/best-way-to-implement-request-throttling-in-asp-net-mvc) – chue x Jun 16 '14 at 14:56
  • @AlexW SO does throttling, but that is not enough to prevent DOS attacks as it is based on ip address, which can be changed a million times in second, obviously not by me but by a hacker – It's a trap Sep 23 '16 at 15:58
  • It isn't an anti-xss what are you looking for. You need a DoS protection library. See this answer: https://stackoverflow.com/a/56075128/1679165 – tecla May 15 '19 at 01:07

1 Answers1

18

Most of these features are going to be found in the IIS manager. Something like Dynamic IP Restrictions should help. Read through Microsoft's Best Practices for Preventing DoS/Denial of Service Attacks, this provides a good list of thing to do.

Also according to this video, Cloud Flare is able to prevent these attacks with their free service.

Garrett Fogerlie
  • 4,450
  • 3
  • 37
  • 56
  • 1
    Does the Dynamic IP Restriction work in a load balanced, stateless, web farm? It doesn't look like it based on the description I read. What I mean is does the module track requests for an IP across multiple machines, or just the local machine? – Paul Fryer Oct 30 '13 at 18:23
  • 1
    It's not sufficient to limit the requests by ip in a general way. If there is a heavy function, an attacker can use the general defined limit by IP, to make N requests to tha heavy function, to take down the server. You need to specify a limit at function level. See this answer (API Protector .NET library): https://stackoverflow.com/a/56075128/1679165 – tecla May 15 '19 at 01:28