How to close HTTP connection in asp.net?

Question

I have a problem, please help!

Our site was under Slow HTTP POST DOS attack recently. It's when your server receives a lot of incoming connections and keep them for long time because the sender sends information very slow and server cant serve real users' request - denial of service.

So I decied to reject such POST requests:

void Application_BeginRequest(object sender, EventArgs e)
{
    if ( _my_condition_here_ )
    {
        _reject_the_request_by_dropping_connection_
    }
}

The problem is that I can't drop the HTTP connection in asp.net:

Response.End(), throw new Exception(), even Thread.CurrentThread.Abort() 

don't close the connection. It waits while sender sends all the fake data, then answer to it with '500 server error' or something. The slow POST attack still will be successful in this case.

How can I just drop the connection? Or maybe there are some settings or modules in IIS 7 which can do that for me?

Answer 1

Try Response.Close instead of Response.End. See also the checked answer of this SO thread.

Answer 2

You could check out the Request Filtering of IIS7. Just don't know if your 'condition' can be implemented in such a way that Request Filtering is possible. Ofcourse IP Security is an option, but not very elegant. Isn't there a Forefront TMG (or other firewall) in front of the webserver? If so, you can add some security in the firewall.

If both of them can't do the stuff you want, you probably need to write your own HTTP Module to stop a request. This still doesn't answer your question on how to stop the request though. Perhaps a solution would be to serve those 'users' an empty page. That way you don't have to stop a request, but simply serve them an empty page. This will give your webserver some load, but doesn't impact the database server.

Answer 3

Have you considered reducing the connection timeout instead?