How to restrict DOS attack with Web API

Question

I am planning to develop a internet site using MVC4 and Web APi. Its a simple application which will display a customer information based on search.

For Search funct

Answer 1

By DOS attack I'm assuming you mean an attack on your system where constant requests are made in order to cause depletion of resources due to the constant execution of the company search query against your database.

To help prevent this you could log the remote IP address on every request and throttle the responses so you only serve so many per minute to each IP address. Any requests in addtions could be met by an artificial delay (e.g. Thread.Sleep()). This approach will be more limited against a DDoS attack where the remote IP addresses will be over a wide range, and also assumes your IP address lookup takes less resources than the company search, but it will still help.

MS Anti-XSS would only protect you from Cross Site Scripting and would not protect against DoS/DDoS. An Anti Forgery token would only protect you against Cross Site Request Forgery - even if you had a token, the bot could simply request your page to grab the token and then submit it to your API function.

A CAPTCHA may be another solution, but you would need for them to enter the CAPTCHA code in your webpage, and then validate it in your API web method.