{IIS} Protect Against DoS (Slow Loris) Attacks
Hellos RZ,
First things first, I am not an expert at these things and this is not a "this will 100% guarantee to block all DoS attacks" this is just a few things I use to protect my IIS install from them. There are probably much better ways of doing this, and I probably have things that are messed up.. if you know of a better way than please let me know.
This tutorial also presumes you already have IIS installed and configured for your retro.
First thing you want to do is go into your IIS manager, go to your site, and go into Request Filtering.
Hit "Edit Feature Settings" on the right hand side, see screenshot below for my settings.
https://i.imgur.com/69Jf1HW.png
Click ok then go to the headers tab in request filtering, and add a new header with these entries
https://i.imgur.com/nwun2Hn.png
Then, go back to your website settings and right click and select "advanced settings" shown below. Then expand the limits tab and set connection timeout to 30. Once done click ok.
https://i.imgur.com/ZGn3k6C.png
Next go up to "Application Pools" and right click the one that shares the name with the website name you have setup. For me, this is default, and select advanced settings. Scroll down until you see "generate process model...." and set "Idle Time-Out (Minutes)" to "1" and "maximum Worker Processes" to 0 as shown
https://i.imgur.com/Ofykj44.png
That should be it! hopefully I havn't missed anything!
Re: {IIS} Protect Against DoS (Slow Loris) Attacks
Quote:
Originally Posted by
JazzySenpai
Hellos RZ,
First things first, I am not an expert at these things and this is not a "this will 100% guarantee to block all DoS attacks" this is just a few things I use to protect my IIS install from them. There are probably much better ways of doing this, and I probably have things that are messed up.. if you know of a better way than please let me know.
This tutorial also presumes you already have IIS installed and configured for your retro.
First thing you want to do is go into your IIS manager, go to your site, and go into Request Filtering.
Hit "Edit Feature Settings" on the right hand side, see screenshot below for my settings.
https://i.imgur.com/69Jf1HW.png
Click ok then go to the headers tab in request filtering, and add a new header with these entries
https://i.imgur.com/nwun2Hn.png
Then, go back to your website settings and right click and select "advanced settings" shown below. Then expand the limits tab and set connection timeout to 30. Once done click ok.
https://i.imgur.com/ZGn3k6C.png
Next go up to "Application Pools" and right click the one that shares the name with the website name you have setup. For me, this is default, and select advanced settings. Scroll down until you see "generate process model...." and set "Idle Time-Out (Minutes)" to "1" and "maximum Worker Processes" to 0 as shown
https://i.imgur.com/Ofykj44.png
That should be it! hopefully I havn't missed anything!
To be clear, this isn't necessarily DDoS protection, but you're right it can help protect your server. You're essentially limiting the size of requests and setting a timeout on them so they don't queue up.
A better solution is full on mitigation to another server, and there are actually a lot of hosting companies that provide the service. You can also set it up yourself on AWS, if you know how.
Thanks for sharing.
Re: {IIS} Protect Against DoS (Slow Loris) Attacks
Quote:
Originally Posted by
Wreckless
To be clear, this isn't necessarily DDoS protection, but you're right it can help protect your server. You're essentially limiting the size of requests and setting a timeout on them so they don't queue up.
A better solution is full on mitigation to another server, and there are actually a lot of hosting companies that provide the service. You can also set it up yourself on AWS, if you know how.
Thanks for sharing.
slow loris is a software based attack(layer 7), not a spam or brute force
Re: {IIS} Protect Against DoS (Slow Loris) Attacks
Most datacenter these days do mitigation which is nice so solong as your server is hosted by a datacenter that has it the only real threat then is slowloris attacks...and probably many many other things my tired brain can't think of...but hey atleast we somewhat have a way of holding against them!
Re: {IIS} Protect Against DoS (Slow Loris) Attacks
if money isn't an issue, CloudFlare's business plan will block all types of OWASP attacks.
Re: {IIS} Protect Against DoS (Slow Loris) Attacks
This helps in case of Slowloris attacks. Cloudflare doesn't for some reason.
The problem is that you can send very slow header requests, and Microsoft's own documentation says something that won't work on IIS 7.5+ for header timeout.
The best way is to create a load balancing with HAProxy then limit Header/Body timeout.
Header is usually pretty small, so I'd say the timeout should be 5 seconds.
Edit: by the way, 30.000.000 max content length a bit too high?
It would probably be ineffective against slowloris.
It means that you can send 1 byte every 29 seconds, up until 30.000.000 bytes, and still be connected.
Re: {IIS} Protect Against DoS (Slow Loris) Attacks
Quote:
Originally Posted by
Droppy
It means that you can send 1 byte every 29 seconds, up until 30.000.000 bytes, and still be connected.
What do you recommend besides 30.000.000?
