Yearly Archives: 2010

WCF Throttling – Part 1

The default throttling settings in WCF has always been very conservative. There where configured conservatively to diminish the risk of request flooding. Without throttling settings a large number of requests will make the service unresponsive by consuming all resources trying to respond to all requests simultaneously.

Because of the very conservative settings many developers have run into what seems like WCF performance problems, but was actually incorrectly configured throttling settings.

WCF throttling is a service behavior configuration and each setting has effect dependent on the InstanceContextMode and ConcurrencyMode settings.

  • maxConcurrentCalls (int) – the maximum number of concurrent messages processing
  • maxConcurrentInstances (int) – the maximum number of concurrent InstanceContext (service type instances) objects processing
  • maxConcurrentSessions (int) – the maximum number of concurrent sessions processing

These throttling settings can be configured in code via the ServiceThrottlingBehavior in the System.ServiceModel.Description namespace or though configuration like below:

<system.serviceModel>
    <serviceBehaviors>
      <behavior name="throttlingServiceBehavior">
        <serviceThrottling maxConcurrentCalls="16"
                           maxConcurrentInstances="160"
                           maxConcurrentSessions="10"/>
      </behavior>
    </serviceBehaviors>
</system.serviceModel>

The default values in .Net 3.0/3.5 are:

  • maxConcurrentCalls = 16
  • maxConcurrentSessions = 10
  • maxConcurrentInstances = maxConcurrentCalls + maxConcurrentSessions

The default has changed in .Net 4.0 as the .Net 3.0/3.5 default values were too conservative and the increase in server resources – especially the number of cores available. The default values for .Net 4.0 are:

  • maxConcurrentCalls = 16 * Environment.ProcessorCount
  • maxConcurrentSessions = 100 * Environment.ProcessorCount
  • maxConcurrentInstances = maxConcurrentCalls + maxConcurrentSessions

The Environment.ProcessorCount property is misleading as the value is the number of cores (Hyper-Threading counts double). In my development laptop with four Hyper-Threading cores looks like this:

ASP.Net Security Vulnerability

Friday the September 17th a serious security exploit was demonstrated at security conference by Juliano Rizzo and Thai Duong. A tool called POET (Padding Oracle Exploit Tool) was used to show the exploit in both .Net and Java.

POET exploits a well-known vulnerability in the way many websites encrypt text stored in ViewState, form authentication tickets, cookies, hidden HTML fields and request parameters.

It a deficiency in the encryption libraries in both Java and the .Net framework utilizing the fact that encrypted strings are padded in blocks of e.g. 8 bytes or 16 bytes or …. I will not go into details, as it is explained well in details here.

The exploit works on any block-cipher encryption mechanism, such as AES, DES and Triple DES.

The exploit is quite severe, as it can be used to download the web.config file.

The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application). We will obviously release a patch for this… Scott Gu

There are lots of systems affected, such as ASP.Net 1.0-4.0 (WebForms and MVC), SharePoint, Microsoft CRM, JavaServer Faces etc.

HTTPS with SSL/TLS does not protect your site.

Below is a video showing how to use the POET tool with DotNetNuke.

Scott Gu has workaround details until Microsoft releases a patch.

Update September 29th, 2010: A security update is released by Microsoft. More details about the patch on Scott Gu’s blog.

Configuring Windows 7 network priority

Windows 7 apparently always prioritizes the wireless network connection (Wi-Fi) – no matter if a faster wired network connection is available. This is default behavior – go figure!

Luckily you can change it, but it isn’t easy to find. Do the following:

  1. Go to “Network and Sharing Center” (e.g. through the “Control Panel”)
  2. Click “Change Adapter Settings”
  3. In the “Network Connections” window, press the ALT key on your keyboard to being up the menu bar.
  4. Click the “Advanced” menu and then “Advanced Settings”
  5. In the “Advanced Settings” windows on the “Adapters and Bindings” tab under “Connections”, you can change the network connection priority with the arrows on the right.

It will still connect to all available network connections (wireless and wired), unless they are disabled.

Enabling Danish for SQL Server FullText

SQL Server FullText enables you to search large amount of strings fast, and it is easy to use. It hasn’t changed much since SQL Server 2000.
A simple getting started tutorial can be found on Code Project.

SQL Server FullText is easy to use in applications requiring string searching.

The Danish, Polish and Turkish wordbreaker and stemmer implementations for SQL Server FullText is not developed by Microsoft and therefore not enabled by default. The libraries are however part of the installation process and are therefore present on disk.

To make use of the Danish language capabilities in SQL Server 2008, register the libraries in registry and reload the FullText languages:

  1. Download & run the DanishFulltext.reg file on the server. It will register wordbreaker, stemmer and default location of the thesaurus xml file.
  2. Run the exec sp_fulltext_service ‘update_languages’ in a Management Studio.

Now verify that Danish is enabled with this query: SELECT name FROM sys.fulltext_languages

Note: The DanishFullText.reg assumes that SQL Server is a default instance (not a named instance). If not, modify the file by changing the MSSQL10.MSSQLSERVER to the instance name.

It is the same case with Polish and Turkish – they are not registered by default. See more in the MSDN article How to: Load Licensed Third-Party Word Breakers.

List of out of the box SQL Server 2008 FullText supported languages: Arabic, Bengali (India), Brazilian, British English, Bulgarian, Catalan, Chinese (Hong Kong SAR, PRC), Chinese (Macau SAR), Chinese (Singapore), Croatian, Danish, Dutch, English, French, German, Gujarati, Hebrew, Hindi, Icelandic, Indonesian ,Italian, Japanese, Kannada, Korean, Latvian, Lithuanian, Malay – Malaysia, Malayalam, Marathi, Neutral, Norwegian (Bokmål), Polish, Portuguese, Punjabi, Romanian, Russian, Serbian (Cyrillic), Serbian (Latin), Simplified Chinese, Slovak, Slovenian, Spanish, Swedish, Tamil, Telugu, Thai, Traditional Chinese, Turkish, Ukrainian, Urdu, Vietnamese.