Ask Learn
Preview
Ask Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign inNote
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Slow HTTP Attack 是denial-of-service (DoS) 的其中一種攻擊方法,駭客可藉由傳送[大量], [片段], [緩慢] 的HTTP請求來干擾Web Server的正常運作,後續將介紹IIS Server上如何使用Request Filtering來進行防護。
步驟一: 設定HTTP Request 屬性: 用來限制HTTP 請求的URL及query string長度。
1. 取消勾選 [Allow unlisted verbs]
2. Max URL length: 2048
3. Max query string: 1024
圖一, IIS request filtering設定
步驟二: 設定Header:
在Headers中設定 [Content-type] : 100
圖二, 設定headers
步驟三: 設定connectionTimeout, headerWaitTimeout, and minBytesPerSecond等屬性來降低攻擊所帶來的影響。
<configuration>
<system.applicationHost>
<webLimits connectionTimeout="00:00:30"
headerWaitTimeout="00:00:30"
minBytesPerSecond="250"
/>
</system.applicationHost>
</configuration>
步驟四: 設定完成後,請執行iisreset 讓設定生效。
Enjoy!
- Anonymous
August 13, 2015
Thanks