IIS 3.0 allows remote attackers to cause a denial of service via a request to an ASP page in which the URL contains a large number of / (forward slash) characters.
https://exchange.xforce.ibmcloud.com/vulnerabilities/3892
http://support.microsoft.com/support/kb/articles/q187/5/03.asp