I have a public facing IIS 7.5 web server running a single ASP.NET website, which has just failed one of our security scans with a "slow post" vulnerability.
Have tried reducing the httpruntime executiontimeout value in the web.config for the site, but the site still fails the security scan.
Anyone got any recommendations to IIS settings / configuration to prevent slow post dos attacks?
Edit: I'm thinking the only way to possibly prevent this is to do it in the application, looking at the headers in the beginrequest sub in the global.asx and based on the kind of content, ending/closing the response...
The tool recommends testing the vulnerability with this : https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool But i'm really just trying to identify if there's any iis configuration that can be done to fix it.
Slow post: " How HTTP POST DDOS attack works (HTTP/1.0) (cont'd)
- For e.g., Content-Length = 1000 (bytes) The HTTP message body is properly URL-encoded, but ..
- .....is sent at, again for e.g., 1 byte per 110 seconds.
- Multiply such connections by 20,000 and your IIS web server will be DDOS.
- Most web servers can accept up to 2GB worth of content in a single HTTP POST request.
ref: https://media.blackhat.com/bh-dc-11/Brennan/BlackHat_DC_2011_Brennan_Denial_Service-Slides.pdf
IIS doesn't have any rate throttling natively (or I guess it's negative rate throttling in this case). You can check out the Dynamic IP Restrictions module (http://www.iis.net/download/DynamicIPRestrictions). I don't believe it will check this specifically, but it's worth a peek.
Checks for this may stand a better chance on your firewall IDS filtering. There may be support there for checking this type of attack.
Your security scan ought to tell you what it triggered on.
How low did you set the execution timeout? Something else to lower (it'd have to be pretty low to mitigate this attack..) would be the connection timeout.
But, the thing with these mitigations is that they don't prevent the attack outright, just make it less potent per the volume of attacking resources; the threshold setting for your security scan is likely a pretty arbitrary number, and getting under that number doesn't mean you're immune to the attack.
In our tests, we found out that Qualys is flagging the URL because the server keeps the connection open for 500 seconds while waiting for request to be completed.
The parameter that we edited for the connection to stay open during the slow response is
minBytesPerSecond
. the default value is 250. We set it to 400Prevent Slow HTTP POST vulnerability Denial of Service (DoS) attack
This might be OTT and might not even do what you want but might be worth the look http://www.snort.org/ http://www.sans.org/security-resources/idfaq/snort.php