Slow HTTP attack

A slow HTTP attack sends incomplete messages that cause the server to tie up the connection as it waits for the rest of the message. Examples of slow HTTP attacks are Slowloris, slow read, and slow post. Consider using an edge server or configuring the HTTP Server.

Some methods for mitigating a slow HTTP attack are shown in the following list.
Use a hardware load balancer that accepts only full HTTP connections.
Using a hardware load balancer with an HTTP profile configured is the best method to stop such an attack. The load balancer inspects the packets and forwards only those HTTP requests that are complete to the web server.
Use Mod_reqtimeout to set timeouts for receiving the HTTP request headers and the HTTP request body from a client.
When you are using these timeouts, a 408 Request Timeout error is sent by the server if a client fails to send header or body data within the configured time. The following properties can be used with mod_reqtimeout:
  • Inactivity timeout property. For more information, see TCP transport channel settings in the WebSphere® Application Server documentation.
  • Read timeout and Write timeout properties. For more information, see HTTP transport channel settings in the WebSphere Application Server documentation.
Consider implementing the following measures.
The following list shows some measures that you can take to help mitigate an attack:
  • Do not accept connections with an advertised window size that is abnormally small.
  • Do not enable persistent connections and HTTP pipelining unless performance really benefits from it.
  • Limit the absolute connection lifetime to a reasonable value.
Use a mechanism that tracks the rate at which the client is sending the data.
Tracking the data rate can help identify a potential bad client that is attempting an attack. For example, you can define a minimum bit rate and an interval length to use to track the data rate. Disconnect any clients that are identified as bad.
The following list shows ways that you can manage the data rate for a client.
  • Configure a maximum transaction time for the client. Drop the client connection when the client doesn't send messages within the maximum transaction time that was set at the server.
  • Use an edge server that sets a buffer and passes the data to the application server only when its buffer is full.