AnsweredAssumed Answered

Azure Web app vulnerable to HTTP Slow Post attack

Question asked by Parker Derks on Jul 28, 2016
Latest reply on Jul 28, 2016 by Busby

We have a web app that is being hosted on Azure and have run Qualys security scans against it that tell us that it is vulnerable to an HTTP Slow Post attack. The analysis from Qualys tells us that it was able to keep a connection open for over 2 minutes making us vulnerable to a denial of service attack. To try and resolve the issue we have made edits to the web.config file and the applicationhost.config files. We have set our allowed maxContentLength, connectionTimeout, headerRequestTimeout, and minBytesPerSecond attributes accordingly, so that a connection should be terminated before reaching 2 minutes.

Even with all of these settings in place a Qualys scan still shows that we are vulnerable and that the connection was held open for longer than 2 minutes. One possible reason we found for this was that our site has an azure load balancer in front of it and the connection timeout for the load balancer can only be set to something between 4 minutes and 30 minutes (which is above the 2 minutes that Qualys complains about).

Is it possible that the Qualys scan hits the load balancer and could be giving the impression that we are vulnerable when we are not? I was hoping someone would have some insight to this and if the load balancer isn't the problem any other reasons this could be happening or potential solutions?

Outcomes