IIS DoS via Chunked Encoding

Chunked Encoding via Post Method
Reported March 20, 2000 by
Petteri Stenius
  • Microsoft Internet Information Server 4.0


According to Microsoft"s report on the matter, "IIS 4.0 supports chunked encoding transfers, but does not limit the size of the buffer that can be reserved. This would allow a malicious user to request an extremely large buffer for a POST or PUT operation, but never actually send data, thereby blocking memory on the server that had been allocated to the session. If sufficient memory on the server were blocked in this fashion, it could prevent the server from performing useful work."


Microsoft has issued a patch for Intel and Alpha platforms, a FAQ, and Support Online article Q252693

For further information, refer to RFC 2616, Hypertext Transfer Protocol - HTTP 1.1

Discovered and reported by
Petteri Stenius
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.