Preventing slow and low attacks
A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.
Configuring protection rules for slow and low attacks
You can configure FortiWeb to prevent the long-lasting HTTP transactions.
- Go to Bot Mitigation > Threshold Based Detection.
- Click Create New.
- For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
- Configure the slow attack detection settings:
Slow Attack Detection
HTTP Transaction Timeout
Specify a timeout value, in seconds, for the HTTP transaction.
Packet Interval Timeout
Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).
Define the frequency when HTTP response type is HTML, plain, XML, SOAP, and JSON.
Enter the length of time, in seconds, which FortiWeb detects slow attack events.
Select which action FortiWeb will take when it detects a violation of the policy:
Alert—Accept the connection and generate an alert email and/or log message.
Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.
Deny (no log)—Block the request (or reset the connection).
Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.
The default value is Alert.
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3600 seconds (1 hour)
This setting is available only if Action is set to Period Block.
When policy violations are recorded in the attack log, each log message contains a Severity Level (
severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:
The default value is Low.
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.
- Click OK.
See information on the threshold based detection rule, see Configuring threshold based detection.
In addition to the configurations in the threshold based detection rule, the following two commands in
server-policy policy are also useful to prevent slow and low attacks that periodically add HTTP headers to a request.
config server-policy policy
set http-header-timeout <seconds_int>
set tcp-recv-timeout <seconds_int>
The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.