So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should
<RequestLimits>
element,
specifically the maxAllowedContentLength, maxQueryString, and maxUrl
attributes. <headerLimits>
to configure the type and size of header your
web server will accept. <limits>
<WebLimits>
elements to minimize the impact of slow HTTP attacks.The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?
Cheers Jens
So, ended up following this guy's recommendations:
http://cagdasulucan.blogspot.se/2013/02/iis-recommendations-against-slow-http.html