Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 6.3.7 Administration Guide
    6.3.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Preventing slow and low attacks

    Preventing slow and low attacks

    A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

    FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

    Configuring protection rules for slow and low attacks

    You can configure FortiWeb to prevent the long-lasting HTTP transactions.

    1. Go to Bot Mitigation > Threshold Based Detection.
    2. Click Create New.
    3. For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
    4. Configure the slow attack detection settings:

    5. Slow Attack Detection

      HTTP Transaction Timeout

      Specify a timeout value, in seconds, for the HTTP transaction.

      Packet Interval Timeout

      Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

      Occurrence

      		 Define the frequency when HTTP response type is HTML, plain, XML, SOAP, and JSON.

      Within (Seconds)

      		 Enter the length of time, in seconds, which FortiWeb detects slow attack events.

      Action

      Select which action FortiWeb will take when it detects a violation of the policy:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

      The default value is Alert.

      Period Block

      Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3600 seconds (1 hour)

      This setting is available only if Action is set to Period Block.

      Severity

      When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

      • Informative
      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Policy

      Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.
    6. Click OK.

    See information on the threshold based detection rule, see Configuring threshold based detection.

    In addition to the configurations in the threshold based detection rule, the following two commands in server-policy policy are also useful to prevent slow and low attacks that periodically add HTTP headers to a request.

    config server-policy policy

    edit "<policy_name>"

    set http-header-timeout <seconds_int>

    set tcp-recv-timeout <seconds_int>

    next

    end

    Variable Description Default

    http-header-timeout <seconds_int>

    The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
    The valid range is 0–1200. A value of 0 means that there is no timeout.

    0

    tcp-recv-timeout <seconds_int>

    The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.
    The valid range is 0–300. A value of 0 means that there is no timeout.

    0

    Previous
    Next

    Preventing slow and low attacks

    Preventing slow and low attacks

    A low and slow attack is a type of DoS attack that sends a small stream of traffic at a very slow rate. It targets application and server resources and is difficult to distinguish from normal traffic. The most popular attack tools include Slowloris and R.U.D.Y. Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

    FortiWeb can detect slow and low attacks and generate attack logs for you to trace the source.

    Configuring protection rules for slow and low attacks

    You can configure FortiWeb to prevent the long-lasting HTTP transactions.

    1. Go to Bot Mitigation > Threshold Based Detection.
    2. Click Create New.
    3. For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
    4. Configure the slow attack detection settings:

    5. Slow Attack Detection

      HTTP Transaction Timeout

      Specify a timeout value, in seconds, for the HTTP transaction.

      Packet Interval Timeout

      Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

      Occurrence

      		 Define the frequency when HTTP response type is HTML, plain, XML, SOAP, and JSON.

      Within (Seconds)

      		 Enter the length of time, in seconds, which FortiWeb detects slow attack events.

      Action

      Select which action FortiWeb will take when it detects a violation of the policy:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

      The default value is Alert.

      Period Block

      Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3600 seconds (1 hour)

      This setting is available only if Action is set to Period Block.

      Severity

      When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

      • Informative
      • Low
      • Medium
      • High

      The default value is Low.

      Trigger Policy

      Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.
    6. Click OK.

    See information on the threshold based detection rule, see Configuring threshold based detection.

    In addition to the configurations in the threshold based detection rule, the following two commands in server-policy policy are also useful to prevent slow and low attacks that periodically add HTTP headers to a request.

    config server-policy policy

    edit "<policy_name>"

    set http-header-timeout <seconds_int>

    set tcp-recv-timeout <seconds_int>

    next

    end

    Variable Description Default

    http-header-timeout <seconds_int>

    The amount of time (in seconds) that FortiWeb will wait for the whole HTTP request header after a client sets up a TCP connection. FortiWeb closes the connection if the HTTP request is timeout.
    The valid range is 0–1200. A value of 0 means that there is no timeout.

    0

    tcp-recv-timeout <seconds_int>

    The amount of time (in seconds) that FortiWeb will wait for a client to send a request after the client sets up a TCP connection. FortiWeb closes the connection if the TCP request is timeout.
    The valid range is 0–300. A value of 0 means that there is no timeout.

    0

    Previous
    Next