Question / Problem:
How to harden Kofax Front Office Server 4.1 against potential Slow HTTP POST Denial of Service (DOS) attacks
Answer / Solution:
Slow HTTP POST Denial of Service attacks open multiple connections with a server and hold those connections open for a long period of time. This is accomplished by the attacker informing the server via the HTTP header at each connection of its intention to POST a large amount of data and sending the data very slow speeds.
To harden the KFS 4.1 server against potential Slow HTTP POST Denial of Service attacks:
1. Open IIS Manager
2. In the Connections pane, select the sever
3. Under Management, double-click Configuration Editor
4. In the Configuration Editor, expand
system.applicationHost and select
5. Set the
minBytesPerSecond values to the following recommended values:
- Set the connectionTimeout value to
- Set the headerWaitTimeout value to
- Set the minBytesPerSecond value to
These values may need to be adjusted based on network conditions and business requirements. The general rule is to set the timeout values as low as is reasonably possible and to raise the minimum Bytes per second to a level that would be expected for a valid slow network connection.
6. In the Action pane, click Apply.
7. Navigate to the
C:\Program Files (x86)\Kofax\Front Office Server 4.1
Web.config in a text editor such as Notepad
9. Navigate to system.webServer | security | requestFiltering
<system.webServer>... <security> <requestFiltering> <requestLimits maxAllowedContentLength="2147483648" /> </requestFiltering>
10. Replace the
requestLimits line with the following:
<requestLimits maxAllowedContentLength="104857600" maxQueryString="1024" maxUrl="2048" > <headerLimits> <add header="Content-type" sizeLimit="100" /> </headerLimits> </requestLimits>
requestFiltering section will look like the following:
11. Save the changes to
12. In IIS Manager, restart the Web Site that hosts the KFS application.