IBM Support

webMethods Knowlegebase : Slow HTTP POST vulnerability (1791528)

Troubleshooting


Problem

URL: Load Balancer URL for webMethods Enterprise Gateway

Payload: N/A

Vulnerable to slow HTTP POST attack.

IS resets timeout after accepting request data from peer.

All other services remain intact, but IS itself becomes inaccessible.

Impact:

Integration Server is possibly vulnerable to a slow HTTP POST Denial of Service (DoS) attack.

This is an application-level DoS (Denial of Service) that consumes server resources by maintaining open connections for an extended period of time by slowly sending traffic to the server.

If the server maintains too many connections open at once, then it may not be able to respond to new, legitimate connections.

Unlike bandwidth-consumption DoS attacks, the slow attack does not require a large amount of traffic to be sent to the server -- only that the client is able to maintain open connections for several minutes at a time.

The attack holds server connections open by sending properly crafted HTTP POST headers that contain a Content-Length header with a large value to inform the web server how much of data to expect.

After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources.

By waiting for the complete request body, the server is helping clients with slow or intermittent connections to complete requests, but is also exposing itself to abuse.

Further information can be found using link below:

https://media.blackhat.com/bh-dc-11/Brennan/BlackHat_DC_2011_Brennan_Denial_Service-Slides.pdf

Solution would be server-specific, but general recommendations are as follows:

- to limit the size of the acceptable request to each form requirements

- establish minimal acceptable speed rate

- establish absolute request timeout for connection with POST request

Server-specific details can be found using link below:

https://community.qualys.com/blogs/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks

A tool that demonstrates this vulnerability in a more intrusive manner is available https://github.com/shekyan/slowhttptest

Product webMethods Integration Server

Version 9.9.0.0

Updates IS_9.9_SPM_Fix2

IS_9.9_Core_Fix6

IS_9.9_SPM_Fix1

IS_9.9_Core_Fix3

Build Number 102

SSL Strong (128-bit)

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"9.9"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"9.9"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"9.9"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 March 2025

UID

ibm17226240

Page Feedback