Our customer is having problems with Slow HTTP DOS (denial of service) attacks. They would like to know if there is any way of mitigating this. I have checked the knowledge base and splash and can't find anything. I have advised them of the following; Reject / drop connections with HTTP methods (verbs) not supported by the URL. Catalogs | Protection | HTTP Specific Settings Limit the header and message body to a minimal reasonable length. Set tighter URL-specific limits as appropriate for every resource that accepts a message body. Catalogs | Protection | HTTP Specific Settings Set an absolute connection timeout, if possible. Of course, if the timeout is too short, you risk dropping legitimate slow connections. Virtual Server | Connection Management | Timeout Settings connect_timeout keepalive_timeout timeout max_transaction_duration Is there any way of performing the following; "The backlog of pending connections allows the server to hold connections it’s not ready to accept, and this allows it to withstand a larger slow HTTP attack, as well as gives legitimate users a chance to be served under high load." The main way the SteelApp protects against Classic DOS attacks is using Rate Shaping and Service Protection. However, these are mostly based around max numbers of connections or large amounts of bandwidth, there is not as much to do with minimum rates. I have raised a support ticket and they advised the following; I have raised a case with Support and they have advised the following; We do have an open feature request to add a configuration option for something that will counter such attacks. An option could be to use a configuration key (added in 9.6) at the virtual server level, max_transaction_duration, to specify the maximum duration of a transaction, regardless of whether data is being sent over the connection. If this time is exceeded, the client connection will be closed. This value can be overridden on a per-request level using the new TrafficScript function request.setMaxTransactionDuration. The currently active value can be queried in TrafficScript with request.getMaxTransactionDuration. This way you can dynamically set timeouts, based on given criteria, using a TrafficScript rule. Some examples are shown in the TrafficScript Guide. The WebApp Firewall primarily focuses on vulnerabilities listed by OWASP (https://www.owasp.org/index.php/Main_Page) so would not be of any use for this type of attack. Does anybody else have any suggestions about how to mitigate these attacks?
... View more