Security guidelines to detect and prevent DOS attacks targeting IIS/Azure Web Role (PAAS)

In a previous blog, we explained how to Install IIS Dynamic IP Restrictions in an Azure Web Role. In the present article, we’ll provide guidelines to collect data and analyze it to be able to detect potential DOS/DDOS attacks. We’ll also provide tips to protect against those attacks. While the article focuses on web applications…

0

Background threads in ASP.net applications (Part 3 – threading side effects)

In the final article of the series on the dangers of ASP.net background threading, to illustrate the dangers of such an architecture, I will start by introducing one more modification to the code of the sample application. This modification will be added to the code of the Global.asax that starts off the infinite loop thread…

9

Background threads in ASP.net applications (Part 2 – thread implementation)

To continue the saga of developing ASP.net applications that make use of background threads, we will look at how to ‘optimize’ the application that I have proposed in the first article. The objective would be to have the application load the data in the background via a thread that would update the price of certain…

3

Background threads in ASP.net applications (Part 1 – the concept application)

When debugging memory dumps from customers, I have come to see, quite often, a pattern that you should not use in your application if you don’t want to run into trouble. This pattern can be resumed in a simple rule: thou shall not create thy own threads in thy application! To show you what I…

4

Encrypting connectionStrings in Web.Config using the NetFrameworkConfigurationKey in an IIS Web Farm scenario

One of the most recommended measure during a web application security audit is to encrypt the connectionStrings section from a Web.Config file. If this operation could be quite easy in a single IIS server environment, it could be really difficult in a Web Farm environment with data replication between every servers. If you encrypt this…

1

Encryption de la connectionStrings dans un Web.Config via la clé NetFrameworkConfigurationKey dans un scénario de Web Farm IIS

Une des mesures les plus recommandées lors d’audit de sécurité d’applications web, est l’encryption de la section connectionStrings dans le fichier Web.Config. Si cette opération s’avère relativement simple dans un environnement avec un seul serveur IIS, cela peut se compliquer lorsque l’on parle de Web Farm avec réplication de données entre différents serveurs. Si vous…

0

WebRole entry point and config file…

When you write a web role requiring application specific configuration (like assembly binding), you may have a hard time trying to figure out which app configuration file should be used and how to get it deployed and used in your role. This issue has been hit by many developers and raised in many blogs &…

3

Easily detect and block malicious HTTP requests targeting IIS/ASP.NET using “BLACKIPS”

In a previous blog, I have detailed how to Install IIS Dynamic IP Restrictions in an Azure Web Role to block DOS attack targeting a web role in Azure. In many situation, an attacker may combine other attacks to DOS such as script injection attacks trying to test and target application’s vulnerabilities by sending malicious…

2

Installing IIS Dynamic IP Restrictions in an Azure Web Role (PAAS)

  A Denial-Of-Service (DOS) attack can target any application/tenant should it be hosted in Windows Azure or hosted by an ISP. If you are using Azure Web Sites or IIS in a VM (IAAS), a simple way to mitigate such attack would be to enable Dynamic IP Restrictions as described in many blog articles: Configuring…

2

How to analyse IIS logs using LogParser / LogParser Studio

In a previous blog article I’ve detailed how to analyse IIS Logs using Excel. However, when you get very huge logs or when you want to automate this operation, Excel is not the best way to do. It’s where LogParser 2.2 takes over. It allows you to parse any kind of logs (IIS, HTTPErr, Event…

6