Mitigating Slow HTTP Post Vulnerability on Tomcat 8

Question

The third party tool we used for security test is giving Slow HTTP POST Vulnerability on Tomcat 8. We have a simple Spring Controller and JSP in the application.

Existing Tomcat connector config is below:

<Connector port="8643" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true" compression="on" 
  clientAuth="false" sslProtocol="TLS" maxPostSize="20480" 
  maxSwallowSize="20480" maxHeaderCount="25" maxParameterCount="100"/>

Note that we don't have Apache or Nginx in front of tomcat. Please suggest the configs that we can use directly on Tomcat.

Answer 1

An example of Slow HTTP Attack is SLOWLORIS

To mitigate it with Tomcat, the solution is to use the NIO Connector, as explained in this tutorial.

What is unclear with your problem, is that Tomcat already uses the NIO connector by default on Tomcat 8, which is your configuration :

The default value is HTTP/1.1 which uses an auto-switching mechanism to select either a non blocking Java NIO based connector or an APR/native based connector.

Maybe should you set some other Connector parameters to specifically limit POST abuse, I suggest :

maxPostSize="1048576" (1 MByte)
connectionTimeout="10000" (10 seconds between the connection and the URI request)
disableUploadTimeout="false" (activate the POST maximum time allowed)
connectionUploadTimeout="20000" (maximum POST of 20 seconds)

An option is also to limit the headers number (default being 100), but this can have side effects with people using smartphones (which are known to send many headers) :

maxHeaderCount="25"

But it depends if your traffic is coming from Internet, or if it is a pro intranet with known users. In this latter case you could adjust the settings to be more permissive.

Edit 1: hardening with MultipartConfig

As stated on some other posts, maxPostSize might not work for limitting uploads. When using Java 7 built-in uploads, it is possible to configure limits by an annotation to the Servlet, or by configuration. It's not a pure Tomcat configuration as you asked, but it is necessary to know about it and talk with the DEV team as security must be taken in account since the early stages of development.

Edit 2: disabling chunked Transfer-Encoding

Some Slow HTTP POST attacks are based on requests sent with a Transfer-Encoding : chunked header, and then send many or an infinite number of chunks. To counter this attack, I suggest configuring a Rewrite Valve.

To achieve this, add the valve in your Host definition in server.xml :

<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />

Supposing your host name is the default one (localhost), you need to create $CATALINA_BASE/conf/Catalina/localhost/rewrite.config file with this content :

RewriteCond %{HTTP:Transfer-Encoding} chunked
RewriteRule ^(.*)$ / [F]

If necessary, you can adapt the RewriteRule to reply with something else than a 403 Forbidden which is due to the F flag. This is pure Tomcat config and flexible.