DOS attack "slow post" : How to prevent in IIS

Solution 1:

IIS doesn't have any rate throttling natively (or I guess it's negative rate throttling in this case). You can check out the Dynamic IP Restrictions module (http://www.iis.net/download/DynamicIPRestrictions). I don't believe it will check this specifically, but it's worth a peek.

Checks for this may stand a better chance on your firewall IDS filtering. There may be support there for checking this type of attack.

Solution 2:

Your security scan ought to tell you what it triggered on.

How low did you set the execution timeout? Something else to lower (it'd have to be pretty low to mitigate this attack..) would be the connection timeout.

But, the thing with these mitigations is that they don't prevent the attack outright, just make it less potent per the volume of attacking resources; the threshold setting for your security scan is likely a pretty arbitrary number, and getting under that number doesn't mean you're immune to the attack.

Solution 3:

In our tests, we found out that Qualys is flagging the URL because the server keeps the connection open for 500 seconds while waiting for request to be completed.

The parameter that we edited for the connection to stay open during the slow response is minBytesPerSecond. the default value is 250. We set it to 400

Prevent Slow HTTP POST vulnerability Denial of Service (DoS) attack