{IIS} Protect Against DoS (Slow Loris) Attacks

[JazzySenpai]

Hellos RZ,

First things first, I am not an expert at these things and this is not a "this will 100% guarantee to block all DoS attacks" this is just a few things I use to protect my IIS install from them. There are probably much better ways of doing this, and I probably have things that are messed up.. if you know of a better way than please let me know.

This tutorial also presumes you already have IIS installed and configured for your retro.

First thing you want to do is go into your IIS manager, go to your site, and go into Request Filtering.

Hit "Edit Feature Settings" on the right hand side, see screenshot below for my settings.



Click ok then go to the headers tab in request filtering, and add a new header with these entries



Then, go back to your website settings and right click and select "advanced settings" shown below. Then expand the limits tab and set connection timeout to 30. Once done click ok.



Next go up to "Application Pools" and right click the one that shares the name with the website name you have setup. For me, this is default, and select advanced settings. Scroll down until you see "generate process model...." and set "Idle Time-Out (Minutes)" to "1" and "maximum Worker Processes" to 0 as shown





That should be it! hopefully I havn't missed anything!

[MentaL]

[Wreckless]

Hellos RZ,

First things first, I am not an expert at these things and this is not a "this will 100% guarantee to block all DoS attacks" this is just a few things I use to protect my IIS install from them. There are probably much better ways of doing this, and I probably have things that are messed up.. if you know of a better way than please let me know.

This tutorial also presumes you already have IIS installed and configured for your retro.

First thing you want to do is go into your IIS manager, go to your site, and go into Request Filtering.

Hit "Edit Feature Settings" on the right hand side, see screenshot below for my settings.



Click ok then go to the headers tab in request filtering, and add a new header with these entries



Then, go back to your website settings and right click and select "advanced settings" shown below. Then expand the limits tab and set connection timeout to 30. Once done click ok.



Next go up to "Application Pools" and right click the one that shares the name with the website name you have setup. For me, this is default, and select advanced settings. Scroll down until you see "generate process model...." and set "Idle Time-Out (Minutes)" to "1" and "maximum Worker Processes" to 0 as shown





That should be it! hopefully I havn't missed anything!

To be clear, this isn't necessarily DDoS protection, but you're right it can help protect your server. You're essentially limiting the size of requests and setting a timeout on them so they don't queue up.

A better solution is full on mitigation to another server, and there are actually a lot of hosting companies that provide the service. You can also set it up yourself on AWS, if you know how.

Thanks for sharing.

[Bola]

To be clear, this isn't necessarily DDoS protection, but you're right it can help protect your server. You're essentially limiting the size of requests and setting a timeout on them so they don't queue up.

A better solution is full on mitigation to another server, and there are actually a lot of hosting companies that provide the service. You can also set it up yourself on AWS, if you know how.

Thanks for sharing.

slow loris is a software based attack(layer 7), not a spam or brute force

[JazzySenpai]

Most datacenter these days do mitigation which is nice so solong as your server is hosted by a datacenter that has it the only real threat then is slowloris attacks...and probably many many other things my tired brain can't think of...but hey atleast we somewhat have a way of holding against them!

[rstrui]

if money isn't an issue, CloudFlare's business plan will block all types of OWASP attacks.

[Droppy]

This helps in case of Slowloris attacks. Cloudflare doesn't for some reason.

The problem is that you can send very slow header requests, and Microsoft's own documentation says something that won't work on IIS 7.5+ for header timeout.

The best way is to create a load balancing with HAProxy then limit Header/Body timeout.

Header is usually pretty small, so I'd say the timeout should be 5 seconds.

Edit: by the way, 30.000.000 max content length a bit too high?

It would probably be ineffective against slowloris.

It means that you can send 1 byte every 29 seconds, up until 30.000.000 bytes, and still be connected.

[Azia]

It means that you can send 1 byte every 29 seconds, up until 30.000.000 bytes, and still be connected.

What do you recommend besides 30.000.000?