3

The third party tool we used for security test is giving Slow HTTP POST Vulnerability on Tomcat 8. We have a simple Spring Controller and JSP in the application.

Existing Tomcat connector config is below:

<Connector port="8643" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true" compression="on" 
  clientAuth="false" sslProtocol="TLS" maxPostSize="20480" 
  maxSwallowSize="20480" maxHeaderCount="25" maxParameterCount="100"/>

Note that we don't have Apache or Nginx in front of tomcat. Please suggest the configs that we can use directly on Tomcat.

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34
nasminspy
  • 49
  • 1
  • 5
  • 1
    What do you mean by "Slow HTTP Post Vulnerability"? – Jim Garrison Mar 23 '18 at 05:37
  • 1
    Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. – nasminspy Mar 23 '18 at 05:44
  • I answered and edited my answer several times. Please check. – Eugène Adell Mar 23 '18 at 06:55
  • Thanks. I have tried that and still getting same vulnerability. :( – nasminspy Mar 23 '18 at 07:14
  • 1
    Questions on professional server- or networking-related infrastructure administration are off-topic for Stack Overflow unless they directly involve programming or programming tools. You may be able to get help on [Server Fault](https://serverfault.com/about). – President James K. Polk Mar 23 '18 at 11:36

1 Answers1

6

An example of Slow HTTP Attack is SLOWLORIS

To mitigate it with Tomcat, the solution is to use the NIO Connector, as explained in this tutorial.

What is unclear with your problem, is that Tomcat already uses the NIO connector by default on Tomcat 8, which is your configuration :

The default value is HTTP/1.1 which uses an auto-switching mechanism to select either a non blocking Java NIO based connector or an APR/native based connector.

Maybe should you set some other Connector parameters to specifically limit POST abuse, I suggest : 

maxPostSize="1048576" (1 MByte)
connectionTimeout="10000" (10 seconds between the connection and the URI request)
disableUploadTimeout="false" (activate the POST maximum time allowed)
connectionUploadTimeout="20000" (maximum POST of 20 seconds)

An option is also to limit the headers number (default being 100), but this can have side effects with people using smartphones (which are known to send many headers) :

maxHeaderCount="25"

But it depends if your traffic is coming from Internet, or if it is a pro intranet with known users. In this latter case you could adjust the settings to be more permissive.

Edit 1: hardening with MultipartConfig

As stated on some other posts, maxPostSize might not work for limitting uploads. When using Java 7 built-in uploads, it is possible to configure limits by an annotation to the Servlet, or by configuration. It's not a pure Tomcat configuration as you asked, but it is necessary to know about it and talk with the DEV team as security must be taken in account since the early stages of development.

Edit 2: disabling chunked Transfer-Encoding

Some Slow HTTP POST attacks are based on requests sent with a Transfer-Encoding : chunked header, and then send many or an infinite number of chunks. To counter this attack, I suggest configuring a Rewrite Valve.

To achieve this, add the valve in your Host definition in server.xml :

<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />

Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :

RewriteCond %{HTTP:Transfer-Encoding} chunked
RewriteRule ^(.*)$ / [F]

If necessary, you can adapt the RewriteRule to reply with something else than a 403 Forbidden which is due to the F flag. This is pure Tomcat config and flexible.

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34
  • I have done the below changes. Scan is still giving the Slow HTTP Attack vulnerability. Is there any config to limit the content length in tomcat? connectionTimeout="10000" disableUploadTimeout="false" connectionUploadTimeout="20000" maxHeaderCount="25" – nasminspy Mar 23 '18 at 07:12
  • content-length is limited by maxPostSize , it's in the answer – Eugène Adell Mar 23 '18 at 07:14
  • content length is not limited by maxpostsize because i set it as maxPostSize="1" and able to send content length as 1000 – nasminspy Mar 23 '18 at 08:08
  • You should maybe test with more normal values above TCP window (maxPostSize 16 kB / send 256 kB of data). What does the scan give with "more normal" values ? There are other ways to limit the post data size, I will edit my answer. – Eugène Adell Mar 23 '18 at 08:44
  • We don't know what the scan is doing exactly. Maybe, reduce connectionTimeout to 1 or 2s, connectionUploadTimeout to 3/4s. Maybe, come back with a network capture of this scan. – Eugène Adell Mar 23 '18 at 09:12
  • Almost finished my answer now. Come back to tell us the result, and if nothing confidential a capture showing this scan will be appreciated. – Eugène Adell Mar 23 '18 at 11:09
  • 2
    We reduced the connectionTimeout="8000" and scan is passed. Sorry for the late reply. Thanks for help. – nasminspy Mar 28 '18 at 08:37
  • @nasminspy Maybe mark the answer as good if it solved your problem. This helps other people finding solutions faster. – Eugène Adell Jun 29 '20 at 10:53