HTTP Slow Post and IIS settings to prevent

security iis web iis-8
16,259

So, ended up following this guy's recommendations:

http://cagdasulucan.blogspot.se/2013/02/iis-recommendations-against-slow-http.html

Share:
16,259
M Raymaker
Author by

M Raymaker

I am a full-stack .NET engineer for business applications, which has giving me a profound understanding of client-server applications. Officially employed as .NET developer, I don’t restrict myself to this platform and I stay curious about other technologies, concepts and programming languages. I listen regularly to webinars, particularly around security and software architecture, which also spawned my desire to work with Azure and using cutting-edge technologies Blazor and Kubernetes. That is also how I discovered and started to study Jason Taylors Clean Architecture Youtube videos to lay the foundations to work in data-intensive environments.

Updated on July 26, 2022

Comments

  • M Raymaker
    M Raymaker almost 2 years

    So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should

    • Limit request attributes is through the <RequestLimits> element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
    • Set <headerLimits> to configure the type and size of header your web server will accept.
    • Tune the connectionTimeout,
      headerWaitTimeout, and minBytesPerSecond attributes of the <limits>
      and <WebLimits> elements to minimize the impact of slow HTTP attacks.

    The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?

    Cheers Jens

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to log authentication failures on IIS
IIS7 give ApplicationPoolIdentity access to a network location
Why does my ASP.NET 4.0 web service fail with a compliation error with NetworkService but succeed with LocalSystem
Enable HTTP Strict Transport Security (HSTS) in Azure WebRoles
Retrieving the COM class factory for component with CLSID {688EEEE5-6A7E-422F-B2E1-6AF00DC944A6} failed
"Object named IIS_IUSRS could not be found" when adding user to PHP sessions directory iis 8
What does my installed .cer certificate not show in IIS?
authentication issue with an intranet website running under IIS6
Possible values for X-Requested-With header?
How to run php script in png/jpg extension