So we got this report from a Security Company saying our MVC website running on IIS 8.0 was vulnerable to slow HTTP post DoS attack. The report stated we should
- Limit request attributes is through the element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes.
- Set to configure the type and size of header your web server will accept.
- Tune the connectionTimeout,
headerWaitTimeout, and minBytesPerSecond attributes of the
and elements to minimize the impact of slow HTTP attacks.
The trouble is I'm having a hard time finding any recommendations on how these values should be set. Eg. the minBytesPerSecond is default 240, but what should it be to prevent SlowHTTPPost attacks?
Cheers Jens
Aucun commentaire:
Enregistrer un commentaire