IIS 8.5 low minBytesPerSecond not working against slow HTTP POST

I have an ASP.NET site running IIS 8.5 on Windows 2012 R2.

I'm trying to use the MinBytesPerSecond config parameter (in applicationHost \ WebLimits) as part of a strategy to mitigate slow HTTP POST attacks, but can't seem to get IIS to respect the value. I've tried the default 240 bytes / s plus much higher values.

I am using OWASP / ProactiveRISK SwitchBlade to leak the 1 byte / sec POST body to the server, but cannot get it to refuse the connection.

The use of MinBytesPerSecond is recommended in a number of articles on the Internet regarding slow DOS attacks, and therefore I am surprised that I am having difficulty. I restarted IIS after every setting change just in case.

Could this parameter be monitored by another process that might not work?

Any ideas, things to consider or alternatives were greatly appreciated.

EDIT:

Just noted this in the IIS config here , minBytesPerSecond ...

Determines the minimum bandwidth, in bytes, that HTTP.sys performs when it sends a response to the client . The minBytesPerSecond attribute allows attackers or unhealthy software clients to exploit resources by opening a connection with minimal data. If the bandwidth is below the minBytesPerSecond value, the connection is terminated.

Does this mean that this parameter only applies to the rate at which the response is returned, i.e. can only be used against slow reads - does anyone have any knowledge or experience with minBytesPerSecond?

Thank.

+3


source to share





All Articles