Protect Web service or Web site from Slow HTTP Attacks

Kailash Chandra Behera | Tuesday, December 26, 2017


I describe several simple and effective steps to tuning IIS and server for protecting against slow HTTP attacks and to make the attacks more difficult to execute.

Before starting execution of steps, let’s discus about the Slow HTTP attack. Slow HTTP attack is kind of attack in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. This kind of attack leads more consumption of server resources by maintaining open connections for an extended period of times by slowly sending traffic to the server.

This kind of attack is known as application level denial-of-service (DoS) attack. it does not require a large amount of traffic to be sent to the server only that the client is able to maintain open connections for several minutes at a time.

Slow HTTP attack holds server connections open by sending properly crafted HTTP POST headers that contain a Content-Length header with a large value to inform the web server how much of data to expect.

If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. This type of attack is easy to execute because they require only minimal resources from the attacker.

Steps to Tuning IIS and Server

  1. Set off echo of server
  2. Limit the request attribute
  3. Limit the Header Content Length
  4. Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the limits and WebLimits elements

Getting Started

The first steps to tuning your server for preventing DoS attack is, disable the ping/ICMP(echo request) of server which will prevent hacker to identify your server.

To disable the ping rule just follow the below steps and Unselect Enable Rule in the last step.

Go to Start >> Administrative Tools >> Windows Firewall with Advanced Security >> Inbound Rules >> File and Printer Sharing (Echo Request – ICMPv4-IN) >> right click and Unselect Enable Rule.

Secondly minimize the request limit of your web application using IIS. Limit request attributes(maxAllowedContentLength, maxQueryString, and maxUrl attributes). Various sites have been various values but my problem is shorted out with below values.

maximum URL length: 2KB by specifying 2048.
maximum query string length : 1KB by specifying 1024.
Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.

For setting request limit in IIS refer the below link

Then set the header content limit of request and response to 100 bytes, this is the minimum recommended value which prevent large content header which causes your website slow. For configuring header limit visit this link.

The last and final step of this blog is tunning connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the limits and WebLimits elements. for tunning folow the blow guide lines.

Go to path: C:\Windows\System32\inetsrv\config=> copy and past the 'applicationHost' configuration file into other location. =>Open 'applicationHost' file =>You will get text inside the file ' '

Replace this 'weblimits' tag with below code.

 <webLimits connectionTimeout="00:00:30"  
      minBytesPerSecond="250" />  
Save the file and close it, restart your server and check the result.


Hope this article will fulfill your requirements. enjoy and happy coding