1

I am trying to understand whether .NET Middleware will protect against Denial Of Service attacks on a sensitive area of a system. I can't find the answer in docs such as this.

The attack I've envisaged is this.

  • An attacker gains rights to a NON Super-Admin user
  • They then use these credentials to spam the Upload controller.

Here is the controller:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System;
using System.Threading.Tasks;

namespace Test.controllers
{

    [Authorize(Policy = "SuperAdmin")]
    [ApiController]
    public class UploadController : Controller
    {


        public UploadController()
        {
        }

        [HttpPost, Route("upload")]
        public async Task<ActionResult<string>> Upload()
        {

            try
            {
                // Exta checks

                var file = Request.Form.Files[0];

                // Do something with the file
            }
            catch (Exception ex)
            {
                // ...
            }

            return "OK";
        }
    }
}

So the Authorize attribute is ASP.NET Middleware that will bounce the request if the user isnt a 'SuperAdmin'.

What I'm unsure of though is - will the whole request reach the server, or is this done at the header level.

E.g. I want to upload a 500MB file.

Option 1

  • Upload controller called (e.g. from a browser UI)
  • API recieves headers
  • middleware reads the headers (rejects if insufficient permissions - has only taken a few bytes to get to this decision)
  • Middleware accepts - controller now accepts the 500MB file.
  • This would mean only a few bytes of data transfer if not permitted.

Option 2

  • Upload controller called (e.g. from a browser UI)
  • Whole 500MB+ request to API controller
  • The controller recieves the whole payload
  • In among the payload, retrieves header.
  • Accepts or rejects (but 500MB has been transferred before the decision has been made).

Obviously, option 2 would be much more susceptible to DOS attacks, so I'm hoping it's Option 1, but I can't find the answer.

How does this actually flow please?

JsAndDotNet
  • 16,260
  • 18
  • 100
  • 123
  • 1
    Not sure about DOS.. but uploading 500MB in a single request is probably not the best way to go about file uploads. Streaming multi-part uploads would most likely suit your use-case better. (Could always upload directly into a cloud storage if one is being used.) – galdin Mar 02 '21 at 13:25
  • 1
    About the DOS attack, as far as I know, the .net core middleware doesn't contain this middleware. To prevent DOS attack, you could try to use Dynamic IP Restrictions, check these threads: [Thread 1](https://stackoverflow.com/questions/58840637/) and [Thread 2](https://stackoverflow.com/questions/11805694/). From your description, I suppose perhaps you want to [prevent (XSRF/CSRF) attacks in ASP.NET Core](https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-5.0). – Zhi Lv Mar 03 '21 at 09:15

1 Answers1

1

The HTTP request is not partially sent so the whole file will go through the network. By example you can make authorization based on the content of the body if you want (so not only the headers are loaded).

You can use Fiddler to check HTTP request/response, it is acting as a proxy so you can see everything that is sent/received.

Edit : So no, the authorization middleware will not prevent un DOS attack.

Arcord
  • 1,724
  • 1
  • 11
  • 16