|
Home > Archive > IIS Server > February 2004 > ASP Script DoS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Marcelo Coelho 2004-02-06, 2:36 am |
| Hi all,
I'm plannig to start hosting shared websites in an Windows 2000 box. It will
run basically ASP.
I'm very concern about what types of scripts my user can run. I run this
little script in a Pentium III 800Mhz dual machine:
<%
Server.ScriptTimeOut = 500
x = 0
y = 0
>
While x <3000
If y = 50 Then
For i = 0 to 1000000
Next
Response.Write " ...stop... <br>"
y = 0
End If
x = x + 1
y = y + 1
Response.Write x
Wend
%>
Of course this is stupid, but any user could do this.
After running this, it looks like I generated an ASP queue and all other
scripts just time out !! How this is possible ? Shouldn't IIS suppose to be
multi-threaded ?
Is this architecture so fragile, somebody could DOS my server with this
simple script ? What can I do to avoid this ? IIS configuration, any hints ?
Thanks
Marcelo Coelho
| |
| Pat [MSFT] 2004-02-06, 5:34 pm |
| 1) If you have ASP Sessions enabled, then multiple requests from the same
browser will queue. A second browser will generate a second parallel
execution. You get 25 * #CPU * #worker processes concurrent ASP pages
(default/configurable).
2) IIS has no way of knowing if that is bad or not. It doesn't grade code.
For example, you could be parsing a very, very long list (which would behave
similarly) - I have seen similar code written to do just that running in
production.
As to what you can do, several hosters are in the group and they may have
some suggestions. But, basically, there are a few things you can do:
1) Use the CPU quota features.
2) Monitor the server. If you see it happen, you can run IISState which
will tell you the page that caused the problem and you can follow-up. Or
watch the IIS log files. Or use one of the server monitoring utilities that
cycle bad processes. Or limit ASP access to trusted (or at least better
paying) customers.
3) Assign folks to their own high isolation processes.
Pat
"Marcelo Coelho" <marcelo@tpn.com.br> wrote in message
news:eXPa%23mM7DHA.3648@TK2MSFTNGP11.phx.gbl...
> Hi all,
>
> I'm plannig to start hosting shared websites in an Windows 2000 box. It
will
> run basically ASP.
>
>
> I'm very concern about what types of scripts my user can run. I run this
> little script in a Pentium III 800Mhz dual machine:
>
> <%
> Server.ScriptTimeOut = 500
> x = 0
> y = 0
> While x <3000
> If y = 50 Then
> For i = 0 to 1000000
> Next
> Response.Write " ...stop... <br>"
> y = 0
> End If
> x = x + 1
> y = y + 1
> Response.Write x
> Wend
> %>
>
> Of course this is stupid, but any user could do this.
>
> After running this, it looks like I generated an ASP queue and all other
> scripts just time out !! How this is possible ? Shouldn't IIS suppose to
be
> multi-threaded ?
>
> Is this architecture so fragile, somebody could DOS my server with this
> simple script ? What can I do to avoid this ? IIS configuration, any hints
?
>
>
> Thanks
>
> Marcelo Coelho
>
>
>
|
|
|
|
|