Fortinet black logo

Administration Guide

Preventing slow and low attacks

Preventing slow and low attacks

A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

The following two commands in server-policy policy are useful to prevent slow and low attacks that periodically add HTTP headers to a request.

config server-policy policy

edit "<policy_name>"

set http-header-timeout <seconds_int>

set tcp-recv-timeout <seconds_int>

next

end

Variable Description Default

http-header-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
The valid range is 0–1200. A value of 0 means that there is no timeout.

0

tcp-recv-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.
The valid range is 0–300. A value of 0 means that there is no timeout.

0

Moreover, you can use the Transaction Timeout and Packet Interval Timeout filters to prevent the long-lasting HTTP transactions. For more information, see Combination access control & rate limiting.

Preventing slow and low attacks

A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

The following two commands in server-policy policy are useful to prevent slow and low attacks that periodically add HTTP headers to a request.

config server-policy policy

edit "<policy_name>"

set http-header-timeout <seconds_int>

set tcp-recv-timeout <seconds_int>

next

end

Variable Description Default

http-header-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
The valid range is 0–1200. A value of 0 means that there is no timeout.

0

tcp-recv-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.
The valid range is 0–300. A value of 0 means that there is no timeout.

0

Moreover, you can use the Transaction Timeout and Packet Interval Timeout filters to prevent the long-lasting HTTP transactions. For more information, see Combination access control & rate limiting.