I have a custom WCF service hosted within a Windows service configured as follows:
<system.web><httpRuntime maxRequestLength="512000000" /><compilation debug="true" /></system.web><!-- When deploying the service library project, the content of the config file must be added to the host's
app.config file. System.Configuration does not support config files for libraries. --><system.serviceModel><client /><bindings><customBinding><binding name="ESSMexBinding"><tcpTransport maxPendingConnections="20" listenBacklog="20"><connectionPoolSettings groupName="default" maxOutboundConnectionsPerEndpoint="20" /></tcpTransport></binding></customBinding><netTcpBinding><binding name="ESSTcpBinding" sendTimeout="00:15:00" closeTimeout="0:10:00" receiveTimeout="0:15:00" openTimeout="00:15:00"
transactionFlow="false" transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="20"
maxBufferPoolSize="512000000" maxBufferSize="512000000"
maxConnections="20" maxReceivedMessageSize="512000000"><readerQuotas maxDepth="32" maxStringContentLength="512000000" maxArrayLength="512000000" maxBytesPerRead="512000000" maxNameTableCharCount="512000000" /><security mode="Transport"><transport clientCredentialType="Windows" /></security><!--<security mode="None" />--><!--<reliableSession
ordered="true"
inactivityTimeout="00:15:00"
enabled="true" />--></binding></netTcpBinding></bindings><services><service name="ESService.ESS" behaviorConfiguration="ESServiceBehavior"><clear /><endpoint address="" binding="netTcpBinding" bindingConfiguration="ESSTcpBinding" name="ESTCPEndpoint"
contract="ESService.IESService" listenUriMode="Explicit"><identity><dns value="localhost" /><certificateReference storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectDistinguishedName" /></identity></endpoint><endpoint address="mex" binding="customBinding" bindingConfiguration="ESSMexBinding" name="ESMEXEndpoint" contract="IMetadataExchange" listenUriMode="Explicit"><identity><dns value="localhost" /><certificateReference storeName="My" storeLocation="LocalMachine" x509FindType="FindBySubjectDistinguishedName" /></identity></endpoint><host><baseAddresses><add baseAddress="net.tcp://localhost:8888/ESService" /></baseAddresses><timeouts closeTimeout="00:02:00" openTimeout="00:02:00" /></host></service></services><behaviors><serviceBehaviors><behavior name="ESServiceBehavior"><serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" /><bufferedReceive maxPendingMessagesPerChannel="255" /><dataContractSerializer maxItemsInObjectGraph="2147483647" /><serviceDebug includeExceptionDetailInFaults="true" /><serviceTimeouts transactionTimeout="00:15:00" /><serviceThrottling maxConcurrentCalls="200" maxConcurrentSessions="100" maxConcurrentInstances="100" /></behavior></serviceBehaviors></behaviors></system.serviceModel>Sometimes the service becomes non responsive and it is even not possible to call the `.Close` method from `OnStop()` - the windows service hangs in Stopping state.
At certain times a series of very many malformed requests appears in the log file in timespan of 1-2 minutes and after that the WCF service becomes non responsive and the Windows service when stopped hangs in Stopping state unable to finish executing the WCF's
service Close method. The server has to be restarted to make it work again.
The exceptions logged are as follows:
- Error while reading message framing format at position 0 of stream (state: ReadingVersionRecord)
- Socked connection aborted
- Expected record type 'Version', found '71'.
- Error while reading message framing format at position 0 of stream (state: ReadingVersionRecord)
There is about 400 exceptions in timespan of 1 minute.
I have investigated the event logs and found out, that the times of theese possible DOS attacks collide exactly with errors in Event log
APM Agent, 4009 Performance counters corrupted.
APM Agent, 4151 Microsoft Monitoring Agent APM service is inaccessible. Please check that it is not in a disabled state.
There is a file present on the computer, SCOM is running there:
C:\Program Files\Microsoft Monitoring Agent\Agent\APMDOTNETAgent\V8.0.10918.0\x64
DLL version
15.0.0.189
How can we fix this?