I have a problem, please help!
Our site was under Slow HTTP POST DOS attack recently. It's when your server receives a lot of incoming connections and keep them for long time because the sender sends information very slow and server cant serve real users' request - denial of service.
So I decied to reject such POST requests:
void Application_BeginRequest(object sender, EventArgs e)
{
if ( _my_condition_here_ )
{
_reject_the_request_by_dropping_connection_
}
}
The problem is that I can't drop the HTTP connection in asp.net:
Response.End(), throw new Exception(), even Thread.CurrentThread.Abort()
don't close the connection. It waits while sender sends all the fake data, then answer to it with '500 server error' or something. The slow POST attack still will be successful in this case.
How can I just drop the connection? Or maybe there are some settings or modules in IIS 7 which can do that for me?
Try Response.Close instead of Response.End. See also the checked answer of this SO thread.