HTTP Slow Post and IIS settings to prevent

Question

So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should

Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
Set <headerLimits> to configure the type and size of header your web server will accept.
Tune the connectionTimeout,
headerWaitTimeout, and minBytesPerSecond attributes of the <limits>
and <WebLimits> elements to minimize the impact of slow HTTP attacks.

The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?

Cheers Jens

The difficulty for such settings are, you will have to observe the actual values of your web applications, and then set a moderate limit. There would be no guidance from others as their apps are different. You cannot remedy such security issues by setting a limit, but a suitable limit can lower the risks. — Lex Li, Jan 25 '16 at 11:02
IIS log files contains the time taken field. Import them to database and start your data mining. There might be some automatic tools also. — Lex Li, Jan 25 '16 at 11:31
Ok analyzing my IIS logs with Indishang gives me eg. one page with mean bytes sent 1567, and mean time taken 1656ms. Does this mean the page was sent with 1567/1,656 = 946 bytes per second? — M Raymaker, Jan 26 '16 at 13:22

score 8 · Answer 1 · answered Feb 01 '16 at 13:35

8

So, ended up following this guy's recommendations:

http://cagdasulucan.blogspot.se/2013/02/iis-recommendations-against-slow-http.html

answered Feb 01 '16 at 13:35

M Raymaker

1,231
5
14
31

1

Two years later and the settings don't seem to work at all. We're still getting the same reports on Slow Http Post vulnerability from our Security Vendor. – M Raymaker Dec 03 '18 at 13:07
Did you find any solution? – Mahmut Salman Aug 09 '22 at 06:37

score 0 · Answer 2 · answered Feb 12 '20 at 20:24

0

In our tests, we found out that Qualys is flagging the URL because the server keeps the connection open for 500 seconds while waiting for request to be completed.

The parameter that we edited for the connection to stay open during the slow response is minBytesPerSecond. the default value is 250. We set it to 400

Prevent Slow HTTP POST vulnerability Denial of Service (DoS) attack

answered Feb 12 '20 at 20:24

Ned

1,055
9
34
58

Is this still valid? Did that change and many others and I'm getting that slow https vulnerability still. Already set weblimits and limits. – flip Aug 20 '21 at 16:27

HTTP Slow Post and IIS settings to prevent

2 Answers2

Linked