Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: Limiting application's database size
From: PD9 Software <info () pd9soft com>
Date: Wed, 30 Jun 2004 10:28:31 -0500

If you really want to take this route, I wouldn't attempt to limit per IP. Factors like proxies are apt to bite you and trouble your users, than actually is likely to save you any heartache. If you want to limit by session, that may work better, although this is certainly not a feature intrinsically supplied by IIS. You would accomplish this with ASP, PHP or something analogous. Make sure to set the threshold to something unusually high so a legitimate user would not hit this barrier, but a malicious script would still be thwarted.

For what it's worth, the previous poster's suggestion that you script the system to e-mail you when the database is nearing capacity is likely the safest bet, and the least likely to bother your users.

Matt


Thorpe, Jason (TAD) wrote:

Thanks for the help.

Could limiting the number of IP commits in one session be accomplished
through IIS?

-----Original Message-----
From: Mike.Wiltshire () sunlife com [mailto:Mike.Wiltshire () sunlife com]
Sent: Monday, June 28, 2004 10:16 AM
To: webappsec () securityfocus com
Subject: Re: Limiting application's database size




You can limit the database size in the database properties dialog if you've
appropriate permissions..

http://www.winnetmag.com/Windows/Articles/ArticleID/23321/pg/2/2.html

One extra point though, and that is as well as limit the datafile size,
don't forget about the transaction max log file size - learned that the
heard way meself!

http://www.winnetmag.com/Files/23321/Figure_03.gif

Are you sure you need to allow unauthenticated users to enter data into
your database? Can you harvest the data, sanitise then remove to a
different database after its loaded? Or maybe you can limit the amount a
single IP commits in one session? Just some thoughts..

hope this helps,
Mike








            "Thorpe, Jason (TAD)"             To:
webappsec () securityfocus com, security-basics () securityfocus com

            <Jason.Thorpe () fta dot gov>        cc: (bcc: Mike
Wiltshire/ServiceCentre/Ireland/SunLife) 28/06/2004 14:03 Subject: Limiting application's database size







I have a database server that contains several applications.  One of the
applications allow users to enter information into the database without
being authenticated.  My concern is that a malicious script could quickly
increase the size of the database and thus taking all free disk space on
the
server.  Is there a way to limit the size of the database so that it will
not affect the other applications?  Or does anybody have any suggestions on
a way to handle this situation.

DB Server: MS SQL Server, IIS








---------------------------------------------------------------------------
This e-mail message (including attachments, if any) is intended for the use
of the individual or entity to which it is addressed and may contain
information that is privileged, proprietary , confidential and exempt from
disclosure.  If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify the sender and erase this e-mail message immediately.
---------------------------------------------------------------------------
Le présent message électronique (y compris les pièces qui y sont annexées,
le cas échéant) s'adresse au destinataire indiqué et peut contenir des
renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le
destinataire de ce document, nous vous signalons qu'il est strictement
interdit de le diffuser, de le distribuer ou de le reproduire. Si ce
message vous a été transmis par erreur, veuillez en informer l'expéditeur
et le supprimer immédiatement.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
This e-mail message (including attachments, if any) is intended for the use
of the individual or entity to which it is addressed and may contain
information that is privileged, proprietary , confidential and exempt from
disclosure.  If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this communication is
strictly prohibited.  If you have received this communication in error,
please notify the sender and erase this e-mail message immediately.
---------------------------------------------------------------------------






--
 Matt Summers
PD9 Software, Inc
 http://www.pd9hosting.com / Hosting & Design
 http://www.pd9soft.com

 4520 Moorfield Ln
 Fort Wayne, IN 46816
(815)642-9367 - Fax



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault