IBM i Apache Security Setting: RequestReadTimeout

Apache HTTP Server ProjectA client asked for help addressing a Denial of Service (DoS) vulnerability that their security company discovered. The company found it could slow down the Apache web server by sending it incorrect headers. By sending an artificially high “Content-Length” header, they caused the web server to wait for data that would never come.

One defense against this type of DoS attack is to limit how many seconds the web server will wait for input.

IBM HTTP Server (powered by Apache) for i provides a directive called RequestReadTimeout that specifies how many seconds to wait to receive the complete headers and body (POST).  Example:

With the above setting, the web server will wait two seconds for data, then time out. If a timeout occurred, the person or computer who sent the request would receive HTTP 408 (Request Timeout).

NOTE: The RequestReadTimeout applies only to incoming data. It does not limit the server’s response time, only its input time. It is safe to use with long-running or slow responses.

More on RequestReadTimeout

RequestReadTimeout is a flexible directive with options to handle many scenarios. For more information, see the IBM i Apache RequestReadTimeout page and the general Apache RequestReadTimeout page.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.