Fortinet black logo

Administration Guide

Preventing slow and low attacks

Preventing slow and low attacks

A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

Configuring protection rules for slow and low attacks

You can configure FortiWeb to prevent the long-lasting HTTP transactions.

  1. Go to Bot Mitigation > Threshold Based Detection.
  2. Click Create New.
  3. For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
  4. Configure the slow attack detection settings:
  5. Slow Attack Detection

    HTTP Transaction Timeout

    Specify a timeout value, in seconds, for the HTTP transaction.

    Packet Interval Timeout

    Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

    Occurrence

    Define the frequency when HTTP response type is HTML, plain, XML, SOAP, and JSON.

    Within (Seconds)

    Enter the length of time, in seconds, which FortiWeb detects slow attack events.

    Action

    Select which action FortiWeb will take when it detects a violation of the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3600 seconds (1 hour)

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.

  6. Click OK.

See information on the threshold based detection rule, see Configuring threshold based detection.

In addition to the configurations in the threshold based detection rule, the following two commands in server-policy policy are also useful to prevent slow and low attacks that periodically add HTTP headers to a request.

config server-policy policy

edit "<policy_name>"

set http-header-timeout <seconds_int>

set tcp-recv-timeout <seconds_int>

next

end

Variable Description Default

http-header-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
The valid range is 0–1200. A value of 0 means that there is no timeout.

0

tcp-recv-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.
The valid range is 0–300. A value of 0 means that there is no timeout.

0

Preventing slow and low attacks

A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

Configuring protection rules for slow and low attacks

You can configure FortiWeb to prevent the long-lasting HTTP transactions.

  1. Go to Bot Mitigation > Threshold Based Detection.
  2. Click Create New.
  3. For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
  4. Configure the slow attack detection settings:
  5. Slow Attack Detection

    HTTP Transaction Timeout

    Specify a timeout value, in seconds, for the HTTP transaction.

    Packet Interval Timeout

    Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

    Occurrence

    Define the frequency when HTTP response type is HTML, plain, XML, SOAP, and JSON.

    Within (Seconds)

    Enter the length of time, in seconds, which FortiWeb detects slow attack events.

    Action

    Select which action FortiWeb will take when it detects a violation of the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3600 seconds (1 hour)

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.

  6. Click OK.

See information on the threshold based detection rule, see Configuring threshold based detection.

In addition to the configurations in the threshold based detection rule, the following two commands in server-policy policy are also useful to prevent slow and low attacks that periodically add HTTP headers to a request.

config server-policy policy

edit "<policy_name>"

set http-header-timeout <seconds_int>

set tcp-recv-timeout <seconds_int>

next

end

Variable Description Default

http-header-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
The valid range is 0–1200. A value of 0 means that there is no timeout.

0

tcp-recv-timeout <seconds_int>

The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.
The valid range is 0–300. A value of 0 means that there is no timeout.

0