to Stop Slow HTTP Get&Post attacks on Windows Servers?
recent years, there is a growing trend to attack HTTP servers by
simply exhausting TCP connections. The attack is called Slow HTTP
Get&Post Attack and many HTTP servers, including IIS servers,
Apache servers and Nginx servers, suffer this kind of DDoS attack. In
this article, it is showed that how Slow HTTP Get&Post Attack
takes down Internet servers and how to use Anti
DDoS Guardian to protect Windows servers from slow HTTP
a HTTP server, the number of maximum concurrent TCP connections is
limited to a certain value, such as 5000 for a Windows 2003 server. If a user
makes a lot of concurrent TCP connections to exceed the maximum value,
the HTTP server will not response any more requests. Some tools were
developed to make this kind of DDoS attack and the most famous ones
are Slowloris HTTP Dos,
OWASP HTTP Post tool and slowhttptest. These tools implement most common low-bandwidth Application Layer DoS
attacks. The technical details are different, some create HTTP Get DoS
attacks while others make HTTP Post DoS attacks.
above picture shows OWASP HTTP Post Tool, which was created to allow
you to test your web applications to test availability concerns from
Layer7 DoS HTTP GET and HTTP POST denial of service attacks.
can stop slow HTTP Get&Post attacks by means of limiting the TCP
concurrent connection number for each client computer. If one client
computer tries to access a Windows server with many TCP connections,
such as 30 concurrent connections, the client computer will be marked
as suspicious one and the IP address of that computer will be blocked
for a certain period.
option dialog of Anti
is showed as above. Due to the options 2.5, 2.6, 2.7, an IP address
will be blocked if it tries to make 15 TCP connections for over 30 seconds
without disconnecting the connections. In our tests, the slow HTTP
attacks can be successfully ceased.