Hi all -
A security question for you all that I haven't had time to think about in depth yet but wanted to see what everyone thinks on this.
It is well known that exceptions in any language are resource intensive (linked list implementation I believe). Today after reading this ( http://blogs.msdn.com/dszabo/archive/2006/11/09/exceptions-are-expensive.aspx ) blog post by David Szabo I realized there may be a similar type of denial of service attack on script service's that throw exceptions.
What does everyone think? Am I being too paranoid about the extra resources and time spent on throwing exceptions and it is essentially the same problem as stopping any DOS? Or should I go through some steps to reduce exceptions in my script services and how much will this help?
I have not done any testing yet but I imagine if I were to do the tests and get comparable results as to David Szabo's tests removing exception use can significantly reduce impact in case of DOS and more requests can be handled.
Any thoughts?
I think the answer to this one is it depends.
In general, I don't think an attacker slaming your webservice and causing it to throw exceptions over and over is going to be worse than an attacker hitting an expensive webservice with real requests and fetching lots of data over and over. Just by exposing a webpage or script service, you are opening yourself up to DOS, so I don't think you really need to worry about avoiding throwing exceptions in your web method just to prevent DOS.
Hope that helps,
-Hao
No comments:
Post a Comment