HTTP Slow Post and IIS settings to prevent

M Raymaker picture M Raymaker · Jan 25, 2016 · Viewed 13.2k times · Source

So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should

  • Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
  • Set <headerLimits> to configure the type and size of header your web server will accept.
  • Tune the connectionTimeout,
    headerWaitTimeout, and minBytesPerSecond attributes of the <limits>
    and <WebLimits> elements to minimize the impact of slow HTTP attacks.

The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?

Cheers Jens

Answer

M Raymaker picture M Raymaker · Feb 1, 2016