Skip to main content
Kofax

Harden KFS 4.1 against potential Slow HTTP POST Denial of Service attacks

3011332

Question / Problem: 

How to harden Kofax Front Office Server 4.1 against potential Slow HTTP POST Denial of Service (DOS) attacks

Answer / Solution: 

Slow HTTP POST Denial of Service attacks open multiple connections with a server and hold those connections open for a long period of time.  This is accomplished by the attacker informing the server via the HTTP header at each connection of its intention to POST a large amount of data and sending the data very slow speeds.

To harden the KFS 4.1 server against potential Slow HTTP POST Denial of Service attacks:

1. Open IIS Manager

2. In the Connections pane, select the sever

3. Under Management, double-click Configuration Editor

4. In the Configuration Editor, expand system.applicationHost and select webLimits

5. Set the connectionTimeout, headerWaitTimeout, and minBytesPerSecond values to the following recommended values:

  • Set the connectionTimeout value to 00:00:30
  • Set the headerWaitTimeout value to 00:00:30
  • Set the minBytesPerSecond value to 500

clipboard_e24370d7b935bfce16e9ed3d27df95e5e.png

These values may need to be adjusted based on network conditions and business requirements.  The general rule is to set the timeout values as low as is reasonably possible and to raise the minimum Bytes per second to a level that would be expected for a valid slow network connection.

6. In the Action pane, click Apply.

7. Navigate to the C:\Program Files (x86)\Kofax\Front Office Server 4.1

8. Open Web.config in a text editor such as Notepad

9. Navigate to system.webServer | security | requestFiltering

<system.webServer>...
    <security>
      <requestFiltering>
        <requestLimits maxAllowedContentLength="2147483648" />
      </requestFiltering>

 

10. Replace the requestLimits line with the following:

<requestLimits maxAllowedContentLength="104857600" maxQueryString="1024" maxUrl="2048" >
    <headerLimits>
        <add header="Content-type" sizeLimit="100" />
    </headerLimits>
</requestLimits>

 

   The resulting requestFiltering section will look like the following:

clipboard_e1373ece2b688593374d6a490a02a2a1c.png

 

11. Save the changes to Web.config

12.  In IIS Manager, restart the Web Site that hosts the KFS application.

 

Applies to:  

Product Version
KFS 4.1

 

  • Was this article helpful?