4

Cant find this issue anywhere...

Using ASP.NET 3.5, I have 3 web servers, in a web farm, using ASP.NET State Server (on a different Server).

All pages Uses session (they read and do update the session)

Issue: my pages are prone to DDOS attack, it so easy to attack, just go to any page, and HOLD down 'F5' key for 30-60 seconds, and the request will pile up in all web servers.

I read, that if you make multiple call to session each will LOCK the session, hence the other request has to wait to get the same user's session, this waiting, ultimately causes DDOS.

OUR solution has been pretty primitive, from preventing (master page, custom control) to call session and only allow the page to call, to adding javascript that disable's F5 key.

I just realize ASP.NET with session is prone to such DDOS attacks!!

Anyone faced similar issue? any global/elegant solution? please do share Thanks

visual
  • 305
  • 4
  • 11

3 Answers3

4

Check this:

Dynamic IP Restrictions: The Dynamic IP Restrictions Extension for IIS provides IT Professionals and Hosters a configurable module that helps mitigate or block Denial of Service Attacks or cracking of passwords through Brute-force by temporarily blocking Internet Protocol (IP) addresses of HTTP clients who follow a pattern that could be conducive to one of such attacks. This module can be configured such that the analysis and blocking could be done at the Web Server or the Web Site level.

Also, Check this:

DoS Attack: Most sites/datacenters will control (D)DOS attacks via hardware not software. Firewalls, routers, load balancers, etc. It is not effeicent or deesirable to have this at the application level of IIS. I don't want bloat like this slowing down IIS.

Also DDOS preventation is a complex setup with even deadicated hardware boxes just to deal with it with different rules and analysis for them that take a lot of processing power.

Look at your web enviornment infrastucuture and see the setup and see what your hardware provides as protection and if it is a problem look at dedicated hardware solutions. You should block DDOS attacks as soon as possible in the chain, not at the end at the webserver level.

Kapil Khandelwal
  • 15,958
  • 2
  • 45
  • 52
  • my issue is, my users are Schools, and the users doing this DDOS are students, who are maybe bored, so they hold down F5 and see what happens. I cant ban their Ip as if i do all in the school will not be able to access it. Im wondering do i need to change my state service from state server to something else? as this seems related to state server behavior. – visual Apr 05 '13 at 09:03
  • we have installed Dynamic IP Restriction on all web servers, and the problem seems not occurring. – visual Aug 22 '13 at 06:54
  • A recommended read for all who want to use **Dynamic IP Restrictions** behind a proxy can be found here: http://blogs.iis.net/wadeh/archive/2012/08/01/dynamic-ip-restriction-proxy-mode.aspx. Also, this module has been [built into IIS8](http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions) so there's no need to install it there manually. – Oliver Jun 06 '14 at 09:48
0

Well, for the most elegant solution; it has to be done on network level. Since it is "nearly" impossible to differentiate a DDOS attack from a valid session traffic, you need a learning algorithm running on the network traffic; most of the enterprise level web applications need a DDOS defender on network level. Those are quite expensive and more stable solutions for DDOS. You may ask your datacenter, if they have a DDOS defender hardware and if they have, they can put your server traffic behind the device. Two of the main competitors on this market :

http://www.arbornetworks.com/

http://www.riorey.com/

Jean
  • 524
  • 4
  • 21
  • Issue with hardware, is cost. (as far as possible can i not increase hardware/setup cost.) as it seems very much code/technology related. As if i do not use session, then i will not have this issue (rather i will not be so badly impacted) – visual Apr 05 '13 at 09:05
  • I must say it is really expensive, like 100k usds list prices. Not using session can work, but there is also a possibility of saturation on IIS because of the request count. – Jean Apr 05 '13 at 09:28
0

We had the same issue at work. Its not solved yet but two workarounds we were looking at were:

  1. Changing the session state provider so that it doesn't lock session. If your application logic would allow this...
  2. Upgrading the session state server so that it was faster (SQL 2016 in-memory session state for example). This makes it a little harder for users to cause issues and means your app should recover faster.
fawr
  • 1
  • We have moved on to SQL session state, but not SQL 2016, rather on SQL08, (i cant tell if its better, but i now can actually 'see' the active sessions). is 'in memory session' only available with 'standard and higher' edition? On dealing with DDOS seems most effective is to use CDN/DDOS protection services (e.g. incapsula/ cloudflare). – visual Sep 19 '16 at 00:38