ACE 4710 issue with HTTP Headers

robert.mcclain · ‎07-03-2013

I just recieved an evaluation report from a Pen Test done against my load balancers.

What they called "

Web Server vulnerable to slow HTTP Denial of Service attack".

Their explanation for this is "

Hardware load balancer should be configured for delayed binding. (This means the load balancer waits for the HTTP Request header to be fully received before forwarding to the Web Server.)".

The business unit is looking for remediation of this and I am not sure where to start looking or what questions to ask.

the Load balncer terminates the SSL connection and then redirects HTTP traffic to HTTPS to the user but forwards the traffic over port 80 to the back-end web servers.

dfesechk · ‎07-04-2013

Hello Robert,

You have faced with the DoS attack which called Slowloris.

http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide

Slowloris is an HTTP Denial of Service (DoS) tool written in PERL that is used to perform denial of service attacks against Apache-based servers (as well as other web services). Slowloris exhausts all available server connections by repeatedly initiating several hundred valid HTTP requests to the server and keeping these connections open using a minimal amount of TCP traffic to consume server resources. Once server resources are exhausted, the server is no longer able to respond to legitimate traffic.

Per CSCtu08459, you are now able to configure the ACE to mitigate a Slowloris HTTP DOS attack by including an HTTP parse timeout in your HTTP parameter map. With software version A5(1.2), the new set max-parse-time command has been added as protection from Slowloris DoS attacks. The default HTTP parsing timeout is set to 255 seconds, and if the ACE does not receive a GET request from the connection within 255 seconds, the HTTP parse timeout initiates and the ACE drops the connection and sends a reset to the client. You can increase this timeout maximum through the set max-parse-time command.

The syntax of this parameter map HTTP configuration mode command is as follows:

set max-parse-time time

The time argument is the time in seconds for the maximum length of the HTTP parsing timeout. Valid entries are 1 to 65535 seconds.

For example, to enter an HTTP parsing timeout of 200 seconds, enter the following:

host1/Admin(config)# parameter-map type http HTTP_MAP

host1/Admin(config-parammap-http)# set max-parse-time 200

--

Best regards,

Dmitry

robert.mcclain · ‎07-05-2013

Dmytro,

Thanks for the response.

In the link that you provided it shows and example CSS configuration with the following explanation.

"Delayed binding typically causes the load balancer to perform an HTTP Request header completeness check, which means that the HTTP Request will not be sent to the appropriate Web server until the final two carriage return and line feeds are sent by the HTTP client. This is the key bit of information. Basically, delayed binding ensures that your Web server or proxy will never see any of the incomplete requests being sent out by Slowloris."

How does the parsing timeout accomplish this? Does the timeout do the HTTP request header completeness check prior to timing out the connection?

Looks like I need to upgrade the code on the load balancers in order to get this feature.

dfesechk · ‎07-05-2013

Robert,

Yes, as was discribed in the previous message, the command does the HTTP request completeness check and if the request is not complete the ACE will drop it without passing to the real server.

The default HTTP parsing timeout is set to 255 seconds, and if the ACE does not receive a GET request from the connection within 255 seconds, the HTTP parse timeout initiates and the ACE drops the connection and sends a reset to the client.

As this command has been available since version A5(1.2), then you would need to upgrade the code to one of the latest versions to get this feature.