Wednesday, February 6, 2013

IIS Tunning Recommendations against Slow http Attacks

If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.
A single attacker can take down victim web server with minimal bandwidth.

Limit request attributes is through the RequestLimits element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes
http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits

Suggestion
maximum URL length: 2KB by specifying 2048.
maximum query string length : 1KB by specifying 1024.
Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.

Set headerLimits to configure the type and size of header your web server will accept.
http://www.iis.net/configreference/system.webserver/security/requestfiltering/requestlimits/headerlimits

Suggestion
Content-type: 100 bytes

Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the limits and WebLimits elements to minimize the impact of slow
HTTP attacks.

Suggestion
connectionTimeout: 30sec
headerWaitTimeout: 30sec
minBytesPerSecond: 250

Limits
http://www.iis.net/configreference/system.applicationhost/sites/sitedefaults/limits

Web Limits
http://www.iis.net/configreference/system.applicationhost/weblimits