Roundtripping DataContracts andDenial Of Service attacks

114 views Asked by At

I am working on a datacontract as follows that uses IExtensiblesDataObject to make it forward compatible with version 02 of this contract, but am worried about possible 'accidental' denial of service via clients passing excessive quantities of data over the wire that needs to be de-serialised, re-serialised and sent back.

Without turning the support off via the ignoreExtensionDataObject in the config file, is there a way of protecting against such an eventuality, i.e. can you cap the quantity somehow ?

[DataContract(Namespace="http://schemas.myComany.com/sample/01")]
public class Sample : IExtensibleDataObject
{
    [DataMember]
    public int32 sample_ID;

    private ExtensionDataObject _data;
    public virtual ExtensionDataObject ExtensionData
    {
        get { return _data; }
        set { _data = value; }
    }

    ....
}

Thanks in advance

1

There are 1 answers

0
Ladislav Mrnka On BEST ANSWER

The way to protect your service is limiting MaxReceivedMessageSize (by default it is 65KB) and reader quotas in your binding.