We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

MinBytesPerSecond for Slow HTTP Post AttackRSS

4 replies

Last post Apr 14, 2020 02:15 PM by coldplay5467

  • MinBytesPerSecond for Slow HTTP Post Attack

    Dec 27, 2018 03:24 PM|PavanKasi|LINK

    I recently received a Qualsys report which listed - SLOW HTTP POST as a vulnerability with my application.

    I have checked the various countermeasures, and configuring - MinBytesPerSecond, in the <webLimits> section of applicationhost.config, has been suggested. However, setting this field, does not seem to have any effect. The documentation of this setting states :

    "Specifies the minimum throughput rate, in bytes, that HTTP.sys enforces when it sends a response to the client."

    Does this mean the setting only applies to responses and not to requests? If so, how can one implement any minimum speed on a Slow HTTP POST Request?

  • Re: MinBytesPerSecond for Slow HTTP Post Attack

    Dec 28, 2018 08:37 AM|Jalpa Panchal|LINK

    Hi PavanKasi,

    PavanKasi

    Does this mean the setting only applies to responses and not to requests?

    Yes,MinBytesPerSecond, in the <webLimits> Specifies the minimum throughput rate, in bytes, that HTTP.sys enforces when it sends a response to the client. Its only work for response.

    To Protect Against Slow HTTP Attacks set:
    • Limit request using <RequestLimits> element,in this set maxAllowedContentLength, maxQueryString, and maxUrl attributes.
    • Set <headerLimits> to configure the type and size of header.
    • Use <limit> and <web limits> element to minuimize the imapact of slow HTTP attacks ,set the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes.

    Regards,

    Jalpa.

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: MinBytesPerSecond for Slow HTTP Post Attack

    Jan 21, 2020 03:12 AM|wright.wang|LINK

    Jalpa Panchal

    To Protect Against Slow HTTP Attacks set:
    • Limit request using <RequestLimits> element,in this set maxAllowedContentLength, maxQueryString, and maxUrl attributes.
    • Set <headerLimits> to configure the type and size of header.
    • Use <limit> and <web limits> element to minuimize the imapact of slow HTTP attacks ,set the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes.

    I have set all the parameters you mentioned above, my site is still vulnerable to Slow HTTP POST DoS attack.

    Bellow is my configuration:

    Config Path: C:\Windows\System32\inetsrv\config\applicationHost.config

    <system.webServer>

    <sites>
    <site name="MgntPortal-UAT" id="1" serverAutoStart="true">
    <application path="/" applicationPool="MgntPortal-UAT">
    <virtualDirectory path="/" physicalPath="E:\WorkDir\UAT\ManagementPortal" />
    </application>
    <bindings>
    <binding protocol="https" bindingInformation="*:443:admin-uat.***.com" sslFlags="1" />
    </bindings>
    <limits connectionTimeout="00:00:30" />

    </site>
    </sites>

    <webLimits connectionTimeout="00:00:30" headerWaitTimeout="00:00:30" minBytesPerSecond="2048" />

    </system.webServer>

    Config Path: Web.config

    <security>
    <requestFiltering>
    <requestLimits maxAllowedContentLength="209715200" maxUrl="2048" maxQueryString="1024">
    <headerLimits>
    <add header="Content-type" sizeLimit="100" />
    <add header="Content-Length" sizeLimit="100"/>
    </headerLimits>
    </requestLimits>
    <verbs allowUnlisted="false">
    <clear />
    <add verb="GET" allowed="true"/>
    <add verb="POST" allowed="true"/>
    </verbs>
    </requestFiltering>
    </security>

    I scan my site with Qualys,sometimes it reported the 'Slow HTTP POST vulnerability',sometimes not.

    My enviroment is windows server 2016 iis 10.

    Could you help me :)

  • Re: MinBytesPerSecond for Slow HTTP Post Attack

    Jan 21, 2020 03:23 AM|Jalpa Panchal|LINK

    Hello wright.wang,

    I request you to create a new thread for your own issue.

    Thank you for understanding.

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
  • Re: MinBytesPerSecond for Slow HTTP Post Attack

    Apr 14, 2020 02:15 PM|coldplay5467|LINK

    Hi Jalpa,

    Was a new thread ever created for wright.wang's issue?

    Thanks