IBM i Apache Security Setting: RequestReadTimeout
A client asked for help addressing a Denial of Service (DoS) vulnerability that their security company discovered. The company found it could slow down the Apache web server by sending it incorrect headers. By sending an artificially high “Content-Length” header, they caused the web server to wait for data that would never come.
One defense against this type of DoS attack is to limit how many seconds the web server will wait for input.
IBM HTTP Server (powered by Apache) for i provides a directive called RequestReadTimeout that specifies how many seconds to wait to receive the complete headers and body (POST). Example:
|
1 2 |
LoadModule reqtimeout_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM RequestReadTimeout header=2 body=2 |
With the above setting, the web server will wait two seconds for data, then time out. If a timeout occurred, the person or computer who sent the request would receive HTTP 408 (Request Timeout).
NOTE: The RequestReadTimeout applies only to incoming data. It does not limit the server’s response time, only its input time. It is safe to use with long-running or slow responses.
More on RequestReadTimeout
RequestReadTimeout is a flexible directive with options to handle many scenarios. For more information, see the IBM i Apache RequestReadTimeout page and the general Apache RequestReadTimeout page.
Leave a Reply
Want to join the discussion?Feel free to contribute!