Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTTP Slow Post and IIS settings to prevent

So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should

  • Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
  • Set <headerLimits> to configure the type and size of header your web server will accept.
  • Tune the connectionTimeout,
    headerWaitTimeout, and minBytesPerSecond attributes of the <limits>
    and <WebLimits> elements to minimize the impact of slow HTTP attacks.

The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?

Cheers Jens

like image 715
M Raymaker Avatar asked Jan 25 '16 10:01

M Raymaker


1 Answers

So, ended up following this guy's recommendations:

http://cagdasulucan.blogspot.se/2013/02/iis-recommendations-against-slow-http.html

like image 117
M Raymaker Avatar answered Oct 31 '22 18:10

M Raymaker