The publicly disclosed exploit would cause the web server to
generate thousands (or more likely tens of thousands) of HTTP 500 and 404 error
responses to requests from a malicious client.
You can use stateful filters in your firewall or intrusion
detection systems on your network to detect such patterns and block such
clients. The Dynamic IP Restrictions module supported by IIS 7 can also
be used to block these types of attacks.
An attack attempt like this should also generate thousands
of warnings in the application event log of your server similar to:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/11/1111 11:11:11 AM
Application information:
Application domain:
c1db5830-1-129291000036654651
Application Virtual Path: /
Exception information:
Exception type: CryptographicException
Exception message: Padding is invalid and
cannot be removed.
Note that there are non-attack reasons to see this error as
well (including cases where you have mismatched keys on a web-farm, or a search
engine is following links incorrectly, etc), so its presence does not
necessarily indicate an attack.
The exception also does not mean that an attack was
successful. Implementing the <customErrors> workaround we have
provided can protect your application from the public exploit, and ensure that
these exceptions do not disclose information that an attacker can use against
the application.