We have a web app that is being hosted on Azure and have run Qualys security scans against it that tell us that it is vulnerable to an HTTP Slow Post attack. The analysis from Qualys tells us that it was able to keep a connection open for over 2 minutes making us vulnerable to a denial of service attack. To try and resolve the issue we have made edits to the web.config file and the applicationhost.config files. We have set our allowed maxAllowedContentLength, connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes accordingly, so that a connection should be terminated before reaching 2 minutes.

Even with all of these settings in place a Qualys scan still shows that we are vulnerable and that the connection was held open for longer than 2 minutes. One possible reason we found for this was that our site has an azure load balancer in front of it and the connection timeout for the load balancer can only be set to something between 4 minutes and 30 minutes (which is above the 2 minutes that Qualys complains about).

Is it possible that the Qualys scan hits the load balancer and could be giving the impression that we are vulnerable when we are not? I was hoping someone would have some insight to this and if the load balancer isn't the problem any other reasons this could be happening or potential solutions?

  • 1
    Do you also have read this blog from Qualys that have some other settings to change than the one you say blog.qualys.com/securitylabs/2011/11/02/…
    – Aristos
    Jul 27, 2016 at 20:47
  • Yes this blog has been used as a reference to try and eliminate the vulnerability.
    – pderks
    Jul 27, 2016 at 21:47
  • If you have a load balancer that's fronting all your requests, then you're not really in danger of DoS attack. The load balancer / Azure is. Jul 27, 2016 at 23:47


Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.