How to Protect Against Slow HTTP Attacks
Last updated on: December 23, 2022
Table of Contents
Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker.
In this article, I describe several simple steps to protect against slow HTTP attacks and to make the attacks more difficult to execute.
Previous articles in the series cover:
- Identifying Slow HTTP Attack Vulnerabilities on Web Application
- New Open-Source Tool for Slow HTTP DoS Attack Vulnerabilities
- Testing Web Servers for Slow HTTP Attacks
Protection Strategies
To protect your Web server against slow HTTP attacks, I recommend the following:
- Reject / drop connections with HTTP methods (verbs) not supported by the URL.
- Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body.
- Set an absolute connection timeout, if possible. Of course, if the timeout is too short, you risk dropping legitimate slow connections; and if it’s too long, you don’t get any protection from attacks. I recommend a timeout value based on your connection length statistics, e.g. a timeout slightly greater than median lifetime of connections should satisfy most of the legitimate clients.
- The backlog of pending connections allows the server to hold connections it’s not ready to accept, and this allows it to withstand a larger slow HTTP attack, as well as gives legitimate users a chance to be served under high load. However, a large backlog also prolongs the attack, since it backlogs all connection requests regardless of whether they’re legitimate. If the server supports a backlog, I recommend making it reasonably large to so your HTTP server can handle a small attack.
- Define the minimum incoming data rate, and drop connections that are slower than that rate. Care must be taken not to set the minimum too low, or you risk dropping legitimate connections.
Server-Specific Recommendations
Applying the above steps to the HTTP servers tested in the previous article indicates the following server-specific settings:
Apache
- Using the <Limit> and <LimitExcept> directives to drop requests with methods not supported by the URL alone won’t help, because Apache waits for the entire request to complete before applying these directives. Therefore, use these parameters in conjunction with the LimitRequestFields, LimitRequestFieldSize, LimitRequestBody, LimitRequestLine, LimitXMLRequestBody directives as appropriate. For example, it is unlikely that your web app requires an 8190 byte header, or an unlimited body size, or 100 headers per request, as most default configurations have.
- Set reasonable TimeOut and KeepAliveTimeOut directive values. The default value of 300 seconds for TimeOut is overkill for most situations.
- ListenBackLog’s default value of 511 could be increased, which is helpful when the server can’t accept connections fast enough.
- Increase the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections.
- Adjust the AcceptFilter directive, which is supported on FreeBSD and Linux, and enables operating system specific optimizations for a listening socket by protocol type. For example, the httpready Accept Filter buffers entire HTTP requests at the kernel level.
A number of Apache modules are available to minimize the threat of slow HTTP attacks. For example, mod_reqtimeout’s RequestReadTimeout directive helps to control slow connections by setting timeout and minimum data rate for receiving requests.
I also recommend switching apache2 to experimental Event MPM mode where available. This uses a dedicated thread to handle the listening sockets and all sockets that are in a Keep Alive state, which means incomplete connections use fewer resources while being polled.
Nginx
- Limit accepted verbs by checking the $request_method variable.
- Set reasonably small client_max_body_size, client_body_buffer_size, client_header_buffer_size, large_client_header_buffers, and increase where necessary.
- Set client_body_timeout, client_header_timeout to reasonably low values.
- Consider using HttpLimitReqModule and HttpLimitZoneModule to limit the number of requests or the number of simultaneous connections for a given session, or as a special case, with same address.
- Configure worker_processes and worker_connections based on the number of CPU / cores, content and load. The formula is max_clients = worker_processes * worker_connections.
lighttpd
- Restrict request verbs using the $HTTP[“request-method”] field in the configuration file for the core module (available since version 1.4.19).
- Use server.max_request-size to limit the size of the entire request including headers.
- Set server.max-read-idle to a reasonable minimum so that the server closes slow connections. No absolute connection timeout option was found.
IIS 6
- Set connectionTimeout, HeaderWaitTimeout and MaxConnections properties in Metabase to minimize the impact of slow HTTP attacks. Working with Metabase can be complicated, so I recommend Microsoft’s Working with the Metabase reference guide.
IIS 7
- Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
- Set <headerLimits> to configure the type and size of header your web server will accept.
- Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the <limits> and <WebLimits> elements to minimize the impact of slow HTTP attacks.
What’s Next
The above are the simplest and most generic countermeasures to minimize the threat. Tuning the Web server configuration is effective to an extent, although there is always a tradeoff between limiting slow HTTP attacks and dropping legitimately slow requests. This means you can never prevent attacks simply using the above techniques.
Beyond configuring the web server, it’s possible to implement other layers of protection like event-driven software load balancers, hardware load balancers to perform delayed binding, and intrusion detection/prevention systems to drop connections with suspicious patterns.
However, today, it probably makes more sense to defend against specific tools rather than slow HTTP attacks in general. Tools have weaknesses that can be identified and and exploited when tailoring your protection. For example, slowhttptest doesn’t change the user-agent string once the test has begun, and it requests the same URL in every HTTP request. If a web server receives thousands of connections from the same IP with the same user-agent requesting the same resource within short period of time, it obviously hints that something is not legitimate. These kinds of patterns can be gleaned from the log files, therefore monitoring log files to detect the attack still remains the most effective countermeasure.
Hi!
I would like to know if you have references of how to fix this vulnerability in glassfish?.
thanks.
Never looked at glassfish, but I found this reference a good starting point. I guess if you apply all concepts like minimizing timeout, limit POST body, etc to glassfish configuration, it should improve handling slow DoS attacks.
Hi Sergey,
Thanks for sharing this info. Well documented here.
In regards to your lighttpd suggestions, I understand this would reduce the chances of DOS, but they are not bullet-proof IMHO.
With reduced interval between sending the data ( less than max-read-idle), it can still do the same effect.
Regards.
Nice tips, thanks for sharing.
On Apache, does increasing MaxRequestWorkers consume or block more memory? If the max concurrent users load on my website was 150, is 250 good enough for MaxRequestWorkers?
Any Recommendation for Oracle Weblogic server. What are the parameters we can configure to prevent this slow HTTP post attack in weblogic server?
How to configure the Weblogic Server to prevent the slow HTTP post attack?
For Weblogic, take a look at these settings – https://docs.oracle.com/cd/E13222_01/wls/docs81/adminguide/web_server.html#100466
Thank you very much, you have given me a great help.
Hi,How to configure the Apache Tomcat server to prevent the slow HTTP post attack?
How to configure the Wildfly 9.0 Server to prevent the slow HTTP post attack?
What is Request timeout limit for enough get good performence like 30 or 60 sec. in Apache.
On Apache, does increasing MaxRequestWorkers consume or block more memory? If the max concurrent users load on my website was 150, is 250 good enough for MaxRequestWorkers?
Please suggest what configuration need to be done to prevent to prevent the slow HTTP post attack on Wildfly 9.09.2.
Thanks in advance for urgent help
How do you to prevent slow HTTP POST Denial of Service (DoS) attack in IBM Web Sphere and WAS?
Is there any steps for Azure Web Apps and how we can configure it as we have a slow attack from Qualsys but nothing on how to fix it in an Azure Web app where we don’t control this setting.
To Steve and anyone else trying to protect their Azure Web App,
I found the following link to be very helpful: https://benperk.github.io/msdn/2015/2015-03-making-changes-to-the-applicationhost-config-on-azure-websites.html
I’ve tried using but I’m yet to determine whether these settings actually work.
Good luck!
Hi
Please help me to resolve this vulnerability in weblogic application server.
Thanks In Advance!
what should be the ideal value of connection timeout on iis server to resolve slow http post request?
the application is a ticketing tool which are used by few users just to create the ticket corresponds to each task assign to them
I would love to know how the TRAEFIK proxy is handling this…
Hello everyone
Can someone please let us know how to avoid susceptibility in weblogic application server.
Thanks
Murali
myholidayhappienss.com
Hello everyone
Can you please let us know how to configure Weblogic Server to avoid slowness of HTTP post attack
An HTTP flood attack is a particular kind of distributed denial-of-service (DDoS) attack that aims to flood a target server with HTTP requests. Denial-of-service attacks take place when the target is overloaded with requests and is unable to respond to regular traffic.