HTTP Slow Post and IIS settings to prevent
So, ended up following this guy's recommendations:
http://cagdasulucan.blogspot.se/2013/02/iis-recommendations-against-slow-http.html
![M Raymaker](https://i.stack.imgur.com/T6dec.jpg?s=256&g=1)
M Raymaker
I am a full-stack .NET engineer for business applications, which has giving me a profound understanding of client-server applications. Officially employed as .NET developer, I don’t restrict myself to this platform and I stay curious about other technologies, concepts and programming languages. I listen regularly to webinars, particularly around security and software architecture, which also spawned my desire to work with Azure and using cutting-edge technologies Blazor and Kubernetes. That is also how I discovered and started to study Jason Taylors Clean Architecture Youtube videos to lay the foundations to work in data-intensive environments.
Updated on July 26, 2022Comments
-
M Raymaker almost 2 years
So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should
- Limit request attributes is through the
<RequestLimits>
element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes. - Set
<headerLimits>
to configure the type and size of header your web server will accept. - Tune the connectionTimeout,
headerWaitTimeout, and minBytesPerSecond attributes of the<limits>
and<WebLimits>
elements to minimize the impact of slow HTTP attacks.
The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?
Cheers Jens
- Limit request attributes is through the