Re: How to prevent a webservice from responding anything at all?
From: Daniel Garcia (dgarcia@carpartseast.com)
Date: 11/08/02
- Next message: Bassel Tabbara: "RE: Process Identity Options"
- Previous message: JJ: "Re: Hosting from a network share."
- In reply to: Paul S.: "Re: How to prevent a webservice from responding anything at all?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Daniel Garcia" <dgarcia@carpartseast.com> Date: Fri, 8 Nov 2002 16:02:40 -0500
Paul,
Thanks for your answer, but our application (IIS in fact) allows anonymous
access to the webservices. It is our application who authenticates a user by
looking up his credentials in a database table. Sorry for not making that
clear. Any ideas on how to solve the problem?
Thanks again,
Daniel
"Paul S." <pauls@lanset.com> wrote in message
news:#YF$vO2hCHA.2544@tkmsftngp11...
> ASP.NET Web services application uses the same authentication method as
your
> ASP.NET application. Make use of the security features that ASP.NET
provides
> and disallow unauthenticated users from accessing your web service AT ALL.
> If you want some methods to be called by authenticated users and some by
> unauthenticated users, follow Microsoft's suggested approach and create a
> subfolder in you application that would allow only authenticated users to
> access recourses in that folder.
>
> Look at examples that Microsoft provides in the Duwamish and other a web
> applications.
>
> "Daniel Garcia" <dgarcia@openwebs.com> wrote in message
> news:evaKivzhCHA.1308@tkmsftngp11...
> > Hello all,
> >
> > I am on a B2B scenario in which some of the webservices take extra
> > parameters for authentication issues (I am using userId + password, but
> this
> > could also apply to a session identifier, etc). Now imagine someone
wants
> to
> > break in and starts calling my webservices with usernames and passwords
> from
> > a dictionary. I figure that if I can make my server respond "slowly" to
an
> > invalid request (invalid meaning wrong credentials) then it will take
the
> > attacker longer to break in.
> >
> > I could do something like CurrentThread.Sleep(5000), but this still uses
> > server resources. I would like my webservice not to respond *at all* so
> the
> > attacker has to wait for some client-side timeout to expire before
trying
> > the next combination. Since the longer the timeout, the better (although
I
> > understand this is not under my control), I also cannot do things like
> > Context.Response.Close() because the client may notice immediately (IE
> seems
> > to give an error pretty quickly)
> >
> > So the basic idea is: I want my server to discard a request, not waste
any
> > resources whatsoever anymore on it and go about attending other
requests.
> > The client can wait as much as it wishes for a response that is never
> going
> > to come.
> >
> > I have found that the code below seems to do the trick, at least from
the
> > client-side point of view (IE waits forever, apparently...).
> >
> > <WebMethod()> Public Function BlackHole() As String
> > Context.Response.SuppressContent = True
> > End Function
> >
> > Does this really work as I think? Is this a reasonable solution for my
> > problem?
> >
> > And regarding the server. After returning from the above webservice:
> >
> > - Is the connection still open?
> > - Is the thread that run the webservice still busy with it?
> > - Is the server using any resources at all?
> >
> > Thanks,
> >
> > Daniel Garcia
> >
> >
>
>
- Next message: Bassel Tabbara: "RE: Process Identity Options"
- Previous message: JJ: "Re: Hosting from a network share."
- In reply to: Paul S.: "Re: How to prevent a webservice from responding anything at all?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
