Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE 4710 issue with HTTP Headers

I just recieved an evaluation report from a Pen Test done against my load balancers.

What they called "

Web Server vulnerable to slow HTTP Denial of Service attack".

Their explanation for this is "

Hardware load balancer should be configured for delayed binding.  (This means the load balancer waits for the HTTP Request header to be fully received before forwarding to the Web Server.)".

The business unit is looking for remediation of this and I am not sure where to start looking or what questions to ask.

the Load balncer terminates the SSL connection and then redirects HTTP traffic to HTTPS to the user but forwards the traffic over port 80 to the back-end web servers.

3 REPLIES
New Member

ACE 4710 issue with HTTP Headers

Hello Robert,

You have faced with the DoS attack which called Slowloris.

http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide

Slowloris is an HTTP Denial of Service (DoS) tool written in PERL that  is used to perform denial of service attacks against Apache-based  servers (as well as other web services). Slowloris exhausts all  available server connections by repeatedly initiating several hundred  valid HTTP requests to the server and keeping these connections open  using a minimal amount of TCP traffic to consume server resources. Once  server resources are exhausted, the server is no longer able to respond  to legitimate traffic.

Per CSCtu08459, you are now able to configure the ACE to mitigate a  Slowloris HTTP DOS attack by including an HTTP parse timeout in your  HTTP parameter map. With software version A5(1.2), the new set max-parse-time command has been added as protection from Slowloris DoS attacks. The  default HTTP parsing timeout is set to 255 seconds, and if the ACE does  not receive a GET request from the connection within 255 seconds, the  HTTP parse timeout initiates and the ACE drops the connection and sends a  reset to the client. You can increase this timeout maximum through the set max-parse-time command.

The syntax of this parameter map HTTP configuration mode command is as follows:

set max-parse-time time

The time argument is the time in seconds for the maximum length of the HTTP parsing timeout. Valid entries are 1 to 65535 seconds.

For example, to enter an HTTP parsing timeout of 200 seconds, enter the following:

host1/Admin(config)# parameter-map type http HTTP_MAP

host1/Admin(config-parammap-http)# set max-parse-time 200

--

Best regards,

Dmitry

New Member

ACE 4710 issue with HTTP Headers

Dmytro,

Thanks for the response.

In the link that you provided it shows and example CSS configuration with the following explanation.

"Delayed binding typically causes the load balancer to perform an HTTP  Request header completeness check, which means that the HTTP Request  will not be sent to the appropriate Web server until the final two  carriage return and line feeds are sent by the HTTP client. This is the  key bit of information. Basically, delayed binding ensures that your Web  server or proxy will never see any of the incomplete requests being  sent out by Slowloris."

How does the parsing timeout accomplish this? Does the timeout do the HTTP request header completeness check prior to timing out the connection?

Looks like I need to upgrade the code on the load balancers in order to get this feature.

New Member

ACE 4710 issue with HTTP Headers

Robert,

Yes, as was discribed in the previous message, the command does the HTTP request completeness check and if the request is not complete the ACE will drop it without passing to the real server.

The  default HTTP parsing timeout is set to 255 seconds, and if the ACE does  not receive a GET request from the connection within 255 seconds, the  HTTP parse timeout initiates and the ACE drops the connection and sends a  reset to the client.

As this command has been available since version A5(1.2), then you would need to upgrade the code to one of the latest versions to get this feature.

427
Views
30
Helpful
3
Replies