Memory Starvation Attacks

  • Article

A memory starvation attack is designed to force your Web site to consume excess memory. This type of attack usually occurs if, when coding your site, you forget to check whether an allocation or new memory request succeeded, and you assumed that memory would always be plentiful.

For example, an attacker can continuously add line items to baskets using a script that adds millions of line items. In a Commerce Server site, baskets are loaded into memory as a dictionary object, so an attacker will eventually exhaust the available memory of the server, resulting in a DoS. The Retail Solution Site mitigates this by limiting line items to 999. For your own Commerce Server site, choose a limit as needed.

To mitigate memory starvation attacks on IIS itself, use these settings:

  • Adsutil.vbs set w3svc/*/ConnectionTimeout 30
  • Adsutil.vbs set w3svc/*/UploadReadAheadSize 2000
  • Change or add the registry value MaxClientRequestBuffer=16384 under HKLM/System/CurrentControlSet/Service/w3svc/parameters/

Copyright © 2005 Microsoft Corporation.
All rights reserved.