IIS 7 and Above
IIS 7.5 How to prevent HTTP Slow POST DoS Attack
Last post Feb 25, 2014 05:14 AM by singh_g99
Feb 05, 2014 10:55 PM|singh_g99|LINK
I've an ASP.NET MVC 5 application deployed on IIS 7.5
As per my security admin, my site is vulnerable to Slow HTTP POST DoS attack.
1. My understanding is that Slow HTTP POST attack is what keeps the connection open in IIS until full request (headers/data) is received. Am I right?
2. I tested the same using HttpDosTool3.6 & found that the following request is kept open by IIS for just too much time (though on some instances of IIS, connections are getting timed out in around 120 seconds, but in others they stay open for more than
10 minutes which is an issue I think. Right? Though on all instances, connection timeout was set to 120 seconds in site <limits>). Also, changing these limits has no effect on timeout: either I increase or decrease this time in site <limits>, site still timesout
in 120 seconds only or keeps connection open for unlimited time on other instances of IIS.
3. I think if site starts doing connection timeout in 120 seconds everywhere, that should also resolve the Slow HTTP Post issue (as the issue is when connection is kept open for huge duration). Right? If yes, where can I set such time?
So how to achieve this all in IIS hosting ASP.NET MVC 5 application? I've tried setting header limits, connection timeouts in site limits, defining <webLimits> in applicationHost.config but no +ve result was given by these.
Request (Tool sent 400 simultaneous such requests and all were kept open for unreasonable time)
POST / HTTP/1.1 Host: xxxxxxxxxxx.com User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12) Connection: keep-alive Content-Length: 1000000
Feb 06, 2014 02:52 AM|lextm|LINK
Feb 06, 2014 05:57 AM|singh_g99|LINK
I think requests will reach my application (MVC) only once IIS receive it fully from client, but because its a slow POST attack, so IIS keeps on waiting for the full data which never reaches to it. Thus it should be IIS issue. No?
I also set the site <limits> in IIS, but these don't work. I don't know why. It could be binding or anything in IIS.
Feb 06, 2014 06:31 AM|Rovastar|LINK
Have you only changed the keepalive timeout?
Have you walked through Failed request tracing?
Are they any other network kit forcing a connection open. Proxys, etc?
Haveyou followed other best practice instrustions for preventing this?
like from a quick google
Feb 06, 2014 09:12 AM|singh_g99|LINK
ok. Here is what I've reached so far.
Following are my key web.config settings:
<add verb="GET" allowed="true"/>
<requestLimits maxAllowedContentLength="1" maxUrl="100" maxQueryString="75">
<add header="Content-Type" sizeLimit="1" />
<add header="Content-Length" sizeLimit="1"/>
<add name="X-Frame-Options" value="SAMEORIGIN" />
Now I installed IIS 7.5 (comes with win 7 OS installed on my system) on my local & after publishing this site on local IIS, I set connection timeout <limits> in IIS to 30 seconds & I tried same POST request (simulates HTTP POST attack as mentioned in top
most message). I successfully got "Content not found" probably because of Content-Length size limit & then all requests (used in attack) were killed by IIS after 30 seconds (as set in IIS connection timeout <limits>). So this is working fine on my local!
But all same settings don't work when I publish site on DEV/TEST servers (managed by admins). Test servers are Win 2008 R2.
The only difference that I can think right now at IIS level is that on my local I access site using
http://localIPAddress:PORT/ but on dev/test I access it using
http://siteName-DEV.com/. They (IIS admins) have mapped this sitename to our site (which uses default 80 * port).
Feb 06, 2014 10:42 PM|singh_g99|LINK
This is what I've found:
IIS on my DEV site is running multiple applications & all are bound to port 80 (including default site) and all sites have host names assigned to them.
This way, I can access my site as
http://mysiteHostName.domain.com/ . But time out settings don't work here, e.g. if I set connection time out limit to 30 seconds for mysiteHostName, site won't time out in 30 seconds.
Now, when I change port of my site to something else (say 81) & access it like http://mysiteHostName.domain.com:81/ keeping time out to 30 seconds, site times out correctly after 30 seconds!
This is happening for all sites, I mean irrespective of ASP.NET Web Forms site or ASP.NET MVC site.
How can achieve same thing while running my site at port 80? Is there something on my DEV server or DEV IIS which is preventing port 80 to timeout after the assigned value? Could it be proxy or firewall issue related to port 80?
Feb 14, 2014 08:05 AM|Rovastar|LINK
Also try installing the latest microsoft patches. Feb 20114 release did fix one for asp.net for the slow HTTP DoS attacks.
Feb 25, 2014 05:14 AM|singh_g99|LINK
My assumption was correct. The problem was an intermediate server (proxy server) which redirects requests to our server (which runs the website using DNS). This intermediate server acts as a load balancer (as a DNS Server Process) & is specially designed
to validate incoming data before passing it to IIS. This proxy server handles the incoming requests itself & passes them to main IIS server only after complete request is received (however it doesn't timeout so that it can work with slow clients). Yet, it
can handle slow requests by moving them to background & freeing up main threads for new requests.
Thus this intermediate server wasn't timing out & was giving impression that our server/site is vulnerable to Slow HTTP POST DoS attack. However, actually it wasn't.
Hope this forum post would be helpful to the community.