Slow HTTP DoS Attacks Mitigation
Fortinet PSIRT Advisories
Fortinet PSIRT Contact:
Website: https://fortiguard.fortinet.com/faq/psirt-contact
FG-IR-19-013
Final
1
1
2020-02-03T00:00:00
Current version
2020-02-03T00:00:00
2020-02-03T00:00:00
An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker.
Denial of service
The admin webUI of following products/versions are impacted:FortiOS versions 6.2.2 and belowFortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2FortiAnalyzer all versions below 6.2.3All 6.4.x verions of FortiAnalyzerFortiAnalyzer all versions below 7.0.4FortiAnalyzer version 7.2.0FortiManager all versions below 6.2.3FortiAP-S/W2 versions below 6.2.2
The following products/versions have implemented counter-measures:Upgrade to FortiOS 6.2.3Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2Upgrade to FortiAnalyzer 7.2.1Upgrade to FortiAnalyzer 7.0.4Upgrade to FortiAnalyzer 6.2.3Upgrade to FortiManager 6.2.3Upgrade to FortiAP-S/W2 6.2.2When supported, configuring trust hosts for system administrators is a workaround, assuming those hosts are trusted to not initiate an attack.
https://fortiguard.fortinet.com/psirt/FG-IR-19-013
Slow HTTP DoS Attacks Mitigation
https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
Fortinet is pleased to thank Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure.
Slow HTTP DoS Attacks Mitigation
CVE-2007-6750
CVE-2019-17657
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:X/RC:X
https://fortiguard.fortinet.com/psirt/FG-IR-19-013
Slow HTTP DoS Attacks Mitigation
Reference>
https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks
https://blog.qualys.com/securitylabs/2011/11/02/how-to-protect-against-slow-http-attacks