0

I always thought, that the WCF BasicHttpBinding option MaxBufferSize is intended to protect me from DoS attacks, however, the following note in the documentation is weird:

If a message exceeds the maximum value set for the buffer, it is not dropped. Instead, more memory is requested from the CLR heap and this incurs more garbage collection overhead than using the buffers.

So it looks like the property MaxBufferSize is more of a default value and not a MaxBufferSize. Do I miss something?

D.R.
  • 20,268
  • 21
  • 102
  • 205
  • 1
    Well, it does exacly what it implies it does. It is the biggest chunk your application will accept, packets can be smaller,anything larger will come in chunks – BugFinder Mar 07 '16 at 12:46
  • What exactly is a "package"? In the end a method is called in my service and it receives all the parameters at once. No concept of "packages" anymore...so all the memory must be allocated at the same time. Or is MaxBufferSize only relevant for streaming contracts? – D.R. Mar 07 '16 at 12:48
  • think of it as a way of tuning your app. As it says, requests over the maxbuffer size are not dropped, eg, if you set it to be 5k, and someone sends you 1gb, you will get 200(ish) chunks which have greater overhead than if you set your your max buffer to 1gb (ok, some exageration going on)a "package" would be a request surely? – BugFinder Mar 07 '16 at 13:02

1 Answers1

4

Found the answer, thank you BugFinder for the hint into the right direction.

MaxBufferSize is indeed important only in streaming scenarios. In buffered WCF scenarios, it must be set to the same value as the MaxReceivedMessageSize (otherwise a configuration exception is thrown). MaxReceivedMessageSize is the one saving us from DoS attacks (hard limit).

D.R.
  • 20,268
  • 21
  • 102
  • 205