I have a public facing IIS 7.5 web server running a single ASP.NET website, which has just failed one of our security scans with a "slow post" vulnerability.
Have tried reducing the httpruntime executiontimeout value in the web.config for the site, but the site still fails the security scan.
Anyone got any recommendations to IIS settings / configuration to prevent slow post dos attacks?
Edit: I'm thinking the only way to possibly prevent this is to do it in the application, looking at the headers in the beginrequest sub in the global.asx and based on the kind of content, ending/closing the response…
The tool recommends testing the vulnerability with this : https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool But i'm really just trying to identify if there's any iis configuration that can be done to fix it.
Slow post: "
How HTTP POST DDOS attack works (HTTP/1.0) (cont'd)
- For e.g., Content-Length = 1000 (bytes) The HTTP message body is
properly URL-encoded, but .. - …..is sent at, again for e.g., 1 byte per 110 seconds.
- Multiply such connections by 20,000 and your
IIS web server will be DDOS. - Most web servers can accept up to 2GB
worth of content in a single HTTP POST request.
ref: https://media.blackhat.com/bh-dc-11/Brennan/BlackHat_DC_2011_Brennan_Denial_Service-Slides.pdf
Best Answer
IIS doesn't have any rate throttling natively (or I guess it's negative rate throttling in this case). You can check out the Dynamic IP Restrictions module (http://www.iis.net/download/DynamicIPRestrictions). I don't believe it will check this specifically, but it's worth a peek.
Checks for this may stand a better chance on your firewall IDS filtering. There may be support there for checking this type of attack.