0

IIS 7 -- "Maximum Requesting Entity Body Limit"

It is certainly easy enough to increase the field "Maximum Requesting Entity Body Limit" in IIS 7.

Has anyone encountered risks to increasing this limit past 1 000 000 ? (one million)?

This is for a web-hosting application that contains "classic asp" legacy pages.

JosephDoggie
  • 167
  • 2
  • 4
  • 14
  • 1
    If I know your site, and you are using such a setting, I can easily DDOS it by sending HTTP requests with large entity body. Do set a moderate value to protect yourself. – Lex Li Jul 19 '18 at 03:19
  • @Lex Li -- Please promote your comment to an answer, and I will mark it as "accepted" -- thanks. – JosephDoggie Jul 26 '18 at 16:57

1 Answers1

1

Copied from the comment.

Usually the relevant IIS settings are set to prevent common security vulnerabilities.

In your case, if I know your site, and you are using such a setting, I can easily DDOS it by sending HTTP requests with large entity body. The cause is that processing large entity body does consume lots of server resources, and your server cannot have unlimited resources.

Do set a moderate value to protect yourself. This also applies to other settings, such as max connections, max bandwidth, and so on.

Lex Li
  • 912
  • 6
  • 10