问题
So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should
- Limit request attributes is through the
<RequestLimits>element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes. - Set
<headerLimits>to configure the type and size of header your web server will accept. - Tune the connectionTimeout,
headerWaitTimeout, and minBytesPerSecond attributes of the<limits>
and<WebLimits>elements to minimize the impact of slow HTTP attacks.
The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?
Cheers Jens
回答1:
So, ended up following this guy's recommendations:
http://cagdasulucan.blogspot.se/2013/02/iis-recommendations-against-slow-http.html
来源:https://stackoverflow.com/questions/34990459/http-slow-post-and-iis-settings-to-prevent