9.6 Ensure Timeout Limits for the Request Body is Set to 20 or Less - mod_reqtimeout

Information

The RequestReadTimeout directive also allows setting timeout values for the body portion of a request. The directive provides for an initial timeout value, and a maximum timeout and minimum rate. The minimum rate specifies that after the initial timeout, the server will wait an additional 1 second for each N bytes received. The recommended setting is to have a maximum timeout of 20 seconds or less. The default value is body=20,MinRate=500.

Rationale:

It is not sufficient to timeout only on the header portion of the request, as the server will still be vulnerable to attacks like the OWASP Slow POST attack, which provide the body of the request very slowly. Therefore, the body portion of the request must have a timeout as well. A timeout of 20 seconds or less is recommended.

Solution

Load the mod_requesttimeout module in the Apache configuration with the following configuration.

LoadModule reqtimeout_module modules/mod_reqtimeout.so

Add a RequestReadTimeout directive similar to the one below with the maximum request body timeout value of 20 seconds or less.

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

Default Value:

body=20,MinRate=500

See Also

https://workbench.cisecurity.org/files/4548