AzureReader2 and ImageResizer

Question

We are using AzureReader2 to which we have downloaded all our images. Also, we are using image re-sizer to resize the images on web site.

I would like to know what could be the security issues that may arise with AzureReader2 and ImageResizer and how can we prevent them.

I am aware of Cache getting overflowed with Image re-sizing. What could be other security issues.

Answer 1

To answer your question concerning ImageResizer, neither CPU nor RAM can generally be overloaded during a (D)DOS attack. Memory allocation is contiguous, meaning an image cannot be processed unless there is around 15-30% free RAM remaining. Under the default pipeline, only 2 cores are used for image processing, so a regular server will not see CPU saturation either.

In general, there are far more effective ways to attack an ASP.NET website than though ImageResizer. Any database-heavy page is more likely to be a weak point, as the memory allocations are smaller and easier to saturate the server with.

Disk space starvation can be mitigated by enabling autoClean="true".

If you're a high-profile site with lots of determined ill-wishers, you can also consider the following:

Use request signing - only URLs generated by your server will be accepted. Use the Presets plugin to white-list defined permitted command combinations. Both of these reduce development agility and limit your options for responsive web design, so unless you have actually been attacked in the past, I don't suggest them.

In practice, (D)DOS attacks against dynamic imaging software are rarely useful at bringing down anything except — temporarily — uncached images — even when running under the same application pool. Since visited images tend to be cached, the actual effect is rather laughable.