Pinned topic slow http header on qualys scan
Slow HTTP headers vulnerability.
Web Application is vulnerable to slow HTTP headers DDoS attack.
Has anyone ever seen this and if so, how is it fixed ?
DaveArnold 270002S9XU1 Post
Re: slow http header on qualys scan2013-05-13T10:35:19ZThis is the accepted answer. This is the accepted answer.
Did you find a resolution for this?
We have just had the same Qualys scan results.
It can be fixed in the IHS instances using the "mod_reqtimeout" module but nothing in the documentation for the internal WAS HTTP servers.
PB Point 2700031B2M1 Post
Re: slow http header on qualys scan2013-05-20T15:30:39ZThis is the accepted answer. This is the accepted answer.If you are using Apache, the recommendations on how to harden the server can be found here:WAS is doing passive test, which means it analyzes the server response timings to abnormal requests and makes an evaluation based on this information.https://community.qualys.com/blogs/securitylabs/2011/07/07/identifying-slow-http-attack-vulnerabilities-on-web-applicationsTo actively test if they are vulnerable - you can use slowhttptest mentioned in the above article - but this should only be done during a maintenance window for the site or in a separate QA environment as it can DOS the server pretty easily if the configuration is not set correctly.contact firstname.lastname@example.org if you have further issues/questions - we're here to help.