I'm concerned about my IBM Security Access Manager (ISAM) being vulnerable to the slow HTTP attack mentioned in the article below.
How to Protect Against Slow HTTP Attacks https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
I notice the article mentions web servers specifically but I'm concerned the same issue is present in ISAM.
Resolving The Problem
- Specifies how long WebSEAL holds the connection open for the initial HTTP or HTTPS request after the initial connection handshake. The default value is 120 seconds.
[server] client-connect-timeout = 120
- Specifies the number of seconds, between each request data fragment when request and response data is sent as two or more fragments.
- The stanza entry also governs the timeout between response data fragments after the first data fragment is returned by WebSEAL. The default value is 60 seconds.
[server] intra-connection-timeout = 60
- If the value of this stanza entry is 0, connection timeouts between data fragments are governed by the client-connect-timeout stanza entry. The exception to this rule occurs for responses that are returned over HTTP or TCP. In this case, there is no timeout between response fragments.
- If a connection timeout occurs on a non-first data fragment due to the intra-connection-timeout setting, a TCP reset packet is sent.
- Controls the maximum number of seconds that WebSEAL holds an HTTP persistent connection open for a new client request before the connection is shut down.
- The HTTP persistent connection opens after the HTTP request and server response exchange is complete. The default value is 5 seconds.
[server] persistent-con-timeout = 5
- If the value of this stanza entry is 0, the connection does not remain open for future requests. A value of zero causes WebSEAL to set the Connection: close header and then close the connection on every response.
Web reverse proxies allow incoming requests to be limited based on a user-defined set of criteria and policy.
Rate limiting is performed by taking the incoming request and identifying the parts of the request that makes it unique to a client. Information such as the IP address that made the connection, a session cookie, other header information or the URL and HTTP method that were used can all be included to identify a client. The Reverse Proxy will use the rate limiting rules to match requests and then count the number of matched requests within the specified time period. If the number of requests exceed the maximum number of allowed requests the Reverse Proxy will terminate the connection.
More information regarding ISAM Rate Limiting can be found here: https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/c_ratelim.html
04 September 2019