How can I limit the number of image files created by ImageResizer app?

Question

We're about to start using ImageResizer (http://imageresizing.net/) and we're using the DiskCache plugin. We have a concern that it would be very easy to create millions of files and cause problems around storage.

I can't find a current and detailed explanation of all the configuration options, some look like they might be something we want to change from their defaults (despite the warnings) (i.e. subfolders="32" targetItemsPerFolder="400" maximumItemsPerFolder="1000" ) but I can't tell how or if they work together. Some "subfolders" related configuration is mentioned here: http://imageresizing.net/plugins/diskcache but I'm not certain of the usage or the other settings that aren't mentioned.

Is there a way of limiting the number of files created? What happens when this limit is hit? I'm thinking of a scripted scenario where someone is requesting all files with different instructions, thereby creating millions of files...so what happens when this limit is hit repeatedly?

Answer 1

subfolders x targetItemsPerFolder = soft limit

32 x 400 = 12,800

subfolders x maximumItemsPerFolder = hard limit

32 x 1,000 = 32,000

The soft limit is enforced unless all of the cached files are 'actively used'. The hard limit is enforced regardless of circumstances. If you want to increase the size of the cache, increase subfolders instead of the other values; they are already tuned for optimal performance on an NTFS filesystem.

Set autoClean=false to disable background cache cleanup.

Even with autoClean disabled, filling up storage space with compressed imagery is a terribly inefficient way to run a (D)DOS attack. It's also super easy to mitigate in a variety of ways - through standard (D)DOS prevention methods, by just using a CDN like CloudFront, or by putting it in it's own Application Pool with throttling enabled. ImageResizer has no need to run in-process with your application; it can always be externalized if you're using the URL API.

If your website is the kind that attracts targeted (D)DOS attacks on a daily basis, you could consider signing all image URLs with a hash - I.E, if the URL didn't appear in HTML, it isn't served. The EncryptedPlugin (beta, not documented, but included in the download) can do this for you, but unless you actually see targeted attacks, DON'T. It'll be pain with no gain.

Know that there are a lot of mitigation options available. If the website is considered high-risk for targeted attacks, leave a way open for image URLs to be modified (funnel through a helper method or something). This will ensure you can take advantage of any of the mitigation options mentioned in this article.

However, a better approach that solves the general problem is to buy a firewall or use a hosting company with a good IPS.