Here are my findings:
1) SLOW HTTP POST VULNERABILITY (Sloworis attack):
Unfortunately, for any types of a DoS attack, there are only mitigations with pros and cons and no complete solution.
For deployment of Gateway alone to mitigate against Slowloris is:
1. Configure Socket Connector properties to drop/clean connections that are idle for x number of seconds
- Under Policy Manager, configure Listen Port Advanced Properties, and create the following properties
Con: If legitimate connection idles more than x number of seconds (in the above example, 3 seconds), you will end up terminating the legitimate connection
Con: If the Slowloris attacker sends the keep alive traffic every x number of seconds, that are smaller than the connectionTimeout value above, this will not mitigate the attack
Pro: Gateway will clean up the malicious connections every x number of seconds, and other non-malicious connections will have the opportunity to establish connection.
2. Configure the firewall settings to limit number of connections per IP address
- For example, adding the following line to the iptables configuration file (/etc/sysconfig/iptables) manually
-A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j REJECT --reject-with tcp-reset
Con: You might be blocking a mega proxy
Con: This mitigation is not applicable if the DoS attack is coming from distributed sources
For more complete mitigation, customers can deploy a reverse-proxy entity in front of the Gateway (FYI, load balancer is a reverse proxy) that has special modules that specifically mitigates Slowloris attack.
3. Commercial load balancer with such protection capabilities
4. Apache Server in front of Gateway
- Using Apache modules (for example, mod_reqtimeout, mod_qos, mod_antiloris)
- ModSecurity in front of Gateway (web application firewall)
Using specific Slow DoS security rules
2) SSL/TLS Renegotiation Vulnerability - The fix for this is already been patched with almost all the JDK versions (https://www.oracle.com/technetwork/java/javase/downloads/tlsreadme2-176330.html).
In Gateway 9.2 and above we are using JDK8 which has this fix available.
You can set sun.security.ssl.allowUnsafeRenegotiation=false and sun.security.ssl.allowLegacyHelloMessages=false System Properties to strictly follow RFC5746 (which fixes this issue with TLS)."