InfoPath Forms Services DoS postbacks per session - Event 5736 (SharePoint Server 2010)
Applies to: SharePoint Server 2010 Enterprise
Alert Name: InfoPath Forms Services DoS postbacks per session
Event ID: 5736
Summary: Some InfoPath form controls, actions, and features require the browser to communicate with the server during a form session. This exchange of data during the session is called a postback, and usually occurs when a form feature has to send data to the server for processing. Unnecessary postbacks impose an additional load on both the browser and the server. To protect the server, a threshold is set for the maximum number of postbacks per session. This limits the number of postbacks that can be executed during a single session when a user is filling out a form, and prevents malicious users from trying to bring down the server.
A user has exceeded the threshold that was set for the number of postbacks allowed per form session. When this condition occurs, the user session is stopped to protect the server.
Symptoms: The following message may appear in the event log: Event ID: 5736 DescriptionNumber of postbacks, <integer>, has exceeded <integer>, the maximum allowable value per session. This value is configurable and can be changed by the administrator. (User: <UserName>, Form Name: <FormName>, Request: <http://servername/_layouts/Postback.Formserver.aspx>, Form ID: <FormID>)
Cause: One or more of the following might be the cause:
A user has tried a denial of service (DoS) attack against a server on which InfoPath Forms Services in Microsoft SharePoint Server 2010 runs.
The number of postbacks allowed per InfoPath form session state is too low.
Resolution: Check the server logs for signs of a DoS attack
Search the Windows event log and the Internet Information Services (IIS) logs for indications of a DoS attack. If this is a DoS attack and if an administrator-approved form template is affected, remove the form template from the site collection or deactivate the form template.
To check the Windows event log:
Open the Windows Event Viewer.
Search for event ID 5736 in the Windows application event log.
In the event description, check the Form ID. If there are multiple events for the same form ID, this might indicate that a malicious user has deployed a form that is causing many postbacks in an attempt to bring down the server.
To check the IIS logs:
Go to \inetpub\logs to review the IIS logs.
The Internet Information Services (IIS) log entries can be correlated to the event log information. If many GET requests for a specific form are in the IIS log and if this form is also causing many postbacks, which are being logged, a DoS attack might be in progress.
The IIS log entries also contain the IP address of the machine that sent the request.
To deactivate a form template from a site collection:
On the SharePoint Central Administration Web site, on the Quick Launch click General Application Settings, and in the InfoPath Forms Services section click Manage form templates.
In the list of form templates click the form template that you want to deactivate, and in the drop-down list click Deactivate from a Site Collection.
On the Deactivate Form Template: <template> page, in the Deactivation Location section, select the site collection and then click OK.
To remove a form template completely:
On the Central Administration page, on the Quick Launch, click General Application Settings and in the InfoPath Forms Services section click Manage form templates.
In the list of form templates click the form template that you want, and in the drop-down list click Remove Form.
Resolution: Increase the number of postbacks allowed per session
On the Central Administration page, on the Quick Launch, click General Application Settings and in the InfoPath Forms Services section click Configure InfoPath Forms Services.
In the Thresholds section, increase the value for number of postbacks allowed per session.
Increasing the value of this setting can adversely affect server performance and increase the risk of DoS attacks on the server.