Denial of Service Vulnerability in ASP.NET

Detailed information has been published describing a new method to exploit hash tables, known as hash collision attacks.  These attacks are not specific to Microsoft technologies and affect other web service software providers as well.  This particular vulnerability affects all versions of Microsoft .NET Framework and could allow for an unauthenticated denial of service attack on servers that serve ASP.NET pages.

Sites that only serve static content or disallow dynamic content types are not vulnerable.  The vulnerability exists due to the way that ASP.NET processes values in an ASP.NET form post causing a hash collision.  It is possible for an attacker to send a small number of specially crafted posts to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition.

Microsoft is not aware of any active attacks, but detailed information about the attack methodology is available.  Details of a workaround to help protect sites against this vulnerability are provided in this article.  Individual implementations for sites using ASP.NET will vary.  Evaluate the impact of the workaround for applicability to your implementations.