0

Imagine I have a HTTP POST action with a method signature of:

RegisterUser(string email, string password)

The implementation of this method does some basic validation (e.g. to see if e-mail doesn't already exist in a user repository) and then stores this information as a record in the user repository.

Say I then go on to make an AJAX call to this action from a "registration" view. If some malicious user looks at the markup of that view on the client-side, they'll pretty easily be able to see the URL to the RegisterUser action and determine what they need to pass to it (email and password).

What is then stopping that user from writing a program that calls this action a 100 million times? What safe guards can I put into place? Is there something I should read up on in ASP.NET MVC that will protect me from such a POST attack?

Thanks

DotNetDeveloper
  • 109
  • 2
  • 13

2 Answers2

2

I would recommend you installing the Dynamic IP Restrictions module in IIS or implement a throttling solution in your application. This would prevent the same user from sending multiple requests to the controller action. It won't protect you against DDOS attacks though because in those kind of attacks the requests are coming from different IP addresses.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Hi Darin. Can you tell me If Dynamic IP Restrictions for IIS enough to prevent DDoS attacks? or it works only against simple DOS attacks. Thanks – It's a trap Sep 27 '16 at 05:47
1

The most common form of prevention against a Denial of Service (DOS) attack which is what you are describing is to use some type of Captcha.

Although this question has been closed it should provide some useful information on implementing this within ASP.NET MVC

Community
  • 1
  • 1
Darren Lewis
  • 8,338
  • 3
  • 35
  • 55
  • Captcha? On a logon form? Come on, that would not be very user friendly. Have you seen a website asking you for a Captcha in addition to your username and password? – Darin Dimitrov Dec 29 '12 at 17:49
  • 2
    @DarinDimitrov The OP mentioned a RegisterUser action and registration view. I don't think it's a huge leap to assume that we're discussing registration here and not login. For which a Captcha is perfectly reasonable. – Darren Lewis Dec 29 '12 at 18:46
  • Thanks Daz, the question arose to me when I was working on the registration functionality in my app, hence why I used that as an example - using captcha would be a good solution for this particular case - thanks. The question also applies outside of this particular case (protecting any action) and I think Darin provided a good solution for that too. Thanks both. – DotNetDeveloper Dec 29 '12 at 20:13