Somewhat urgent request: Guidance on how to modify built-in server to resist 'slow HTTP' DoS attack
Added by Steve Drake over 10 years ago
A "Slow HTTP Denial of Service" attack and suggested countermeasures are explained here:
https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
In a nutshell, the attacker establishes multiple HTTP connections, and then communicates very slowly to cause resources to be tied up for long periods of time.
I am facing a deadline that requires me to implement changes to the Wt built-in web server in the next few days in order to protect my system from this sort of attack. This was identified as a vulnerability by the Qualys security scanner that my company uses.
I am looking for any guidance as to how to do this and what file(s) I would likely need to modify. I think that for each existing connection, I would need to record information that would allow me to track the communication rate and terminate any connection that falls below a threshold. I am starting by looking at Wt/src/http/Server.C but have just started to scratch the surface. So I am hoping someone can point me in the right direction.
Thanks in advance for any input!
Steve Drake
Replies (3)
RE: Somewhat urgent request: Guidance on how to modify built-in server to resist 'slow HTTP' DoS attack - Added by Wim Dumon over 10 years ago
Hello Steve,
We have a timeout (CONNECTION_TIMEOUT, set to 120 seconds in http/Connection.C), the maximum timeout that each individual read and write operation can spend. Lowering that 120 seconds is a first option and could satisfy the Qualys test.
A more thorough solution is probably to limit how long receiving a header or a body can take, but that is not implemented. If you want to implement this, I would suggested to add a timer to class Connection (globalRequestTimeout? slowHttpDosTimeout?), initialize it to the header parse timeout in Connection::start, reset it to the body receive timeout (maybe based on expected length of the body?) when the header has been parsed (in handleRequest0() when result is true), and then reset it again when the body is received (in handleReadBody()).
Upon timeout, call close(). Resetting the timers when the body or header is correctly received within the timeout is of course crucial for correct operation.
Then test thoroughly, and send the patch our way :)
Best regards,
Wim.
RE: Somewhat urgent request: Guidance on how to modify built-in server to resist 'slow HTTP' DoS attack - Added by Steve Drake over 10 years ago
Thanks for the quick reply Wim. I'll give that a try. If I come up with something that works, I'll definitely send a patch.
Steve
RE: Somewhat urgent request: Guidance on how to modify built-in server to resist 'slow HTTP' DoS attack - Added by Steve Drake over 10 years ago
In http/Connection.C, by setting CONNECTION_TIMEOUT to 10 seconds (instead of 120) and KEEPALIVE_TIMEOUT to 5 (instead of 10), I was able to get it to pass the Qualys slow HTTP vulnerability test. I don't really think that the change should be included in the standard Wt release, so no patch. A longer term change that might be helpful would be to make these timeouts configurable at run-time. (However, I did not have time to pursue that more patch-worthy change.)
Thanks for the help.
Steve