Hi, a recent qualys scan made on our servers brought out a "150085 Slow HTTP POST vulnerability"
With a response of:
Vulnerable to slow HTTP POST attack
Connection with partial POST body remained open for: 144142 milliseconds
Server resets timeout after accepting request data from peer.
I interpret to mean that a LONG POST was done on the servers longer than 140 seconds.
Qualys then give a link to the slowhttptest tool. I have the tol running in cygwin on my windows 7 machine trying to manipulate the behavior on my localhost first.
First issues is I am having trouble crafting the correct command for slowhttptest.
I have tried this:
./slowhttptest -c 50 -g -o stats -i 10 -r 50 -t POST -u http://localhost/ColorTest/default.aspx -x 32
./slowhttptest -c 50 -g -o stats -i 10 -r 50 -t POST -u http://localhost/ -x 32
However, every time my graphic does not seem helpful [image 1]
I have went to iis to alter the iis setting for webLimits connection timeout to 45 seconds [image 2]. However running the report yields the EXACT same result. I should be seeing different activity at 45 seconds right? But I dont. My chart data on several permutations always stops/starts at the beginning or end of the chart and always at 130 seconds. It never even goes to the 240 default seconds.
I would like some direction and help for:
1. Am I crafting the correct slowhttptest for the given Qualys issue detected?
2.Am I on the right track with the connectionTimeout setting? On my production servers I have it set to 2 minutes, 120 seconds. So it frustrates me very much to see a 140 second POST body. It should never have gotten there.