IBM Support

How can I protect IBM Security Access Manager against the Slow HTTP Attack?

Troubleshooting


Problem

I'm concerned about my IBM Security Access Manager (ISAM) being vulnerable to the slow HTTP attack mentioned in the article below.

How to Protect Against Slow HTTP Attacks https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks

I notice the article mentions web servers specifically but I'm concerned the same issue is present in ISAM.

Symptom

The vulnerability exploits the wait time and seems to mimic a slow internet connection from the client side. IBM Security Access Manager server offers some settings that can help mitigate against this.

Resolving The Problem

Prior to the ISAM 9.0.6.0 release
There are two options to help mitigate  this problem.
The first option is to place an Intrusion Protection System in front of your ISAM Webseal systems that can detect and prevent this type of attack.
The second option is to adjust the following 3 tuning parameters
client-connect-timeout
Specifies how long WebSEAL holds the connection open for the initial HTTP or HTTPS request after the initial connection handshake. The default value is 120 seconds.
[server]
client-connect-timeout = 120
intra-connection-timeout
Specifies the number of seconds, between each request data fragment when request and response data is sent as two or more fragments.
The stanza entry also governs the timeout between response data fragments after the first data fragment is returned by WebSEAL. The default value is 60 seconds.
[server]
intra-connection-timeout = 60
If the value of this stanza entry is 0, connection timeouts between data fragments are governed by the client-connect-timeout stanza entry. The exception to this rule occurs for responses that are returned over HTTP or TCP. In this case, there is no timeout between response fragments.
If a connection timeout occurs on a non-first data fragment due to the intra-connection-timeout setting, a TCP reset packet is sent.
persistent-con-timeout
Controls the maximum number of seconds that WebSEAL holds an HTTP persistent connection open for a new client request before the connection is shut down.
The HTTP persistent connection opens after the HTTP request and server response exchange is complete. The default value is 5 seconds.
[server]
persistent-con-timeout = 5
If the value of this stanza entry is 0, the connection does not remain open for future requests. A value of zero causes WebSEAL to set the Connection: close header and then close the connection on every response.
After the ISAM 9.0.6.0 release.
In the ISAM 9.0.6.0 release the Rate Limiting Feature was implemented to help prevent these types of attacks.

Web reverse proxies allow incoming requests to be limited based on a user-defined set of criteria and policy.

Rate limiting achieves the following protections:
  • Brute force attacks on sensitive information such as passwords or PINs
  • Denial of Service attacks on a server or the Web Reverse Proxy

Rate limiting is performed by taking the incoming request and identifying the parts of the request that makes it unique to a client. Information such as the IP address that made the connection, a session cookie, other header information or the URL and HTTP method that were used can all be included to identify a client. The Reverse Proxy will use the rate limiting rules to match requests and then count the number of matched requests within the specified time period.  If the number of requests exceed the maximum number of allowed requests the Reverse Proxy will terminate the connection.

More information regarding ISAM Rate Limiting can be found here: https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/c_ratelim.html

Document Location

Worldwide

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":""}]

Document Information

Modified date:
04 September 2019

UID

ibm10967495