Avoiding Denial of Service

banner art

[Applies to: Microsoft Dynamics CRM 4.0]

Find the latest SDK documentation: CRM 2015 SDK

Microsoft Dynamics CRM supports infinite loop detection to prevent a plug-in from overloading the system and causing a denial-of-service attack or deadlocks. For example, if a plug-in is registered for an update event of an account entity and that plug-in does an update of an account, an infinite loop would result. Infinite loop detection is automatically enabled in plug-ins that call the CreateCrmService method of IPluginExecutionContext to create a proxy to the Web service.

For plug-ins that create a Web service proxy by instantiating CrmService, infinite loop detection can be enabled by setting the Web service instance's CorrelationTokenValue property. Plug-in code can obtain the Correlationid, CorrelationUpdatedTime, and Depth property values required by the CorrelationTokenValue instance from the execution context as shown in the following code sample.

using System;
using Microsoft.Crm.Sdk;
using Microsoft.Crm.SdkTypeProxy;
using CrmSdk;

public class SamplePlugin : IPlugin
   public void Execute(IPluginExecutionContext context)
      CrmService service = new CrmService();
      service.Credentials = System.Net.CredentialCache.DefaultCredentials;
      service.CorrelationTokenValue =          new CorrelationToken(context.CorrelationId, context.Depth,                              context.CorrelationUpdatedTime);
      // Add more plug-in code here.


Infinite loop detection is not supported in Microsoft Dynamics CRM 3.0 callouts. Denial-of-service attacks can occur from callouts that are executed by Microsoft Dynamics CRM 4.0.

The following example is used to illustrate how an infinite loop can occur. Assume a scenario where plug-in P is registered to run for a contact update and callout C is registered to run for an account update. Plug-in P's code performs an account update while callout C's code performs a contact update. When a contact update is processed by the platform, an infinite loop occurs.

  • contact update is processed by the event execution pipeline
  • plug-in P executes and performs an account update
  • callout C executes and performs a contact update
  • result is an infinite loop

See Also


© 2010 Microsoft Corporation. All rights reserved.