9.5 Ensure the Timeout Limits for Request Headers is Set to 40 or Less - mod_reqtimeout

Information

The 'RequestReadTimeout' directive allows configuration of timeout limits for client requests. The header portion of the directive provides for an initial timeout value, a maximum timeout, and a minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional second for each N bytes received. The recommended setting is to have a maximum timeout of '40' seconds or less. Keep in mind that for SSL/TLS virtual hosts, the time for the TLS handshake must fit within the timeout.

Rationale:

Setting a request header timeout is vital for mitigating DoS attacks based on slow requests. The slow request attacks are particularly lethal and relative easy to perform, because they require very little bandwidth and can easily be done through anonymous proxies. These attacks started in June 2009 with the Slow Loris DoS attack, which used a slow 'GET' request, as published by Robert Hansen (RSnake) on his blog [http://ha.ckers.org/slowloris/](http://ha.ckers.org/slowloris/). Later in November 2010 at the OWASP App Sec DC conference, Wong Onn Chee demonstrated a slow POST request attack which was even more effective. For details, see: [https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t](https://www.owasp.org/index.php/H.....t.....t....p.......p....o....s....t)

Solution

Perform the following to implement the recommended state:
1. Load the 'mod_requesttimeout' module in the Apache configuration with the following.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

2. Add a 'RequestReadTimeout' directive similar to the one below with the maximum request header timeout value of '40' seconds or less.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|9, CSCv7|5.1

Plugin: Unix

Control ID: c02a359bb1e4a2cd7ce6d2f26fa257f1fe82350ce8554374bad33ad56d14810f