9.1 Ensure the TimeOut Is Set to 10 or Less

Information

Denial of Service (DoS) is an attack technique with the intent of preventing a web site from serving normal user activity. DoS attacks, which are normally applied to the network layer, are also possible at the application layer. These malicious attacks can succeed by starving a system of critical resources, vulnerability exploit, or abuse of functionality. Although there is no 100% solution for preventing DoS attacks, the following recommendation uses the Timeout directive to mitigate some of the risk, by requiring more effort for a successful DoS attack. Of course, DoS attacks can happen in rather unintentional ways as well as intentional and these directives will help in many of those situations as well.

Rationale:

One common technique for DoS is to initiate many connections to the server. By decreasing the timeout for old connections and we allow the server to free up resources more quickly and be more responsive. By making the server more efficient, it will be more resilient to DoS conditions. The Timeout directive affects several timeout values for Apache, so review the Apache document carefully. http://httpd.apache.org/docs/2.4/mod/core.html#timeout

Solution

Perform the following to implement the recommended state:
Add or modify the Timeout directive in the Apache configuration to have a value of 10 seconds or shorter.

Timeout 10

Default Value:

Timeout 60

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(8), CSCv7|9

Plugin: Unix

Control ID: efb9e44bd5905934bf7a1a96ab0df2a7830dc5d20acd9ae3ccf217e87dfc0ef3