What is a slow POST Attack and how to turn HAProxy into your first line of Defense?

One of the biggest security challenges that companies face in today’s modern climate is the POST attack. Unlike a more traditional “Denial-of-Service” attack, POST attacks target a servers logical resources – making them particularly powerful when executed.

What is a slow POST Attack?


In a POST attack, an attacker begins by sending a legitimate HTTP POST header to a Web server, exactly as they would under normal circumstances. The header specifies the exact size of the message body that will then follow. However, that message body is then sent at an alarmingly low rate – sometimes as slow as 1 byte per approximately two minutes. Because the entire message is technically correct and complete, the targeted server attempts to obey all specified rules – which as you would expect, can take quite awhile. The issue is that if an attacker were to establish hundreds or even thousands of these POST attacks simultaneously, it will quickly use up all server resources and make legitimate connections impossible.

How HAProxy can protect against slow POST attack?


Because POST attacks can be incredibly powerful, it’s always important to have a tool in place to identify these types of issues when they’re still in their nascent stages to prevent them from becoming much larger, more serious issues down the road. Because HAProxy was designed as an application delivery controller to manage Web application high availability and performance, it is already in an ideal position to stop these types of POST attacks in their tracks.

HAProxy Configuration Example

Because of HAProxy‘s structure and configuration flexibility, many professionals and consumers alike often use it as a security tool. Case in point: by using the following configuration example, you can easily help protect your servers against POST attacks to prevent attackers from clogging resources and ultimately harming the well-being of not only your equipment but your entire organization at the same time.

frontend ft_myapp
 [...]
 option http-buffer-request
 timeout http-request 10s

As you can see, with just a few simple modifications, HAProxy can quickly and effortlessly remove POST attacks from the list of things you have to worry about on a daily basis with regards to your mission-critical business applications and API.
The option http-buffer-request instructs HAProxy to wait for the whole DATA before forwarding it to a server and the timeout http-request 10s option tells how much time HAProxy let to a client to send the whole POST.

Thanks to its functionality as a security tool, a reverse proxy and more in addition to its intended functionality as a load balancer, it’s easy to see why HAProxy is used by some of the largest sites on the Internet including Reddit, Tumblr, GitHub and more on a daily basis.

This function is available in the following versions of HAProxy:

Related links

Links

3 thoughts on “What is a slow POST Attack and how to turn HAProxy into your first line of Defense?”

  1. Very Nice. I knew HAProxy is very powerful and flexible load balancer. Few things in my mind, make HAproxy config updates using API and reload with zero down time.

    Continue your good work and expecting these article very often

  2. Buffer request? Orly? And if it’s multiple file uploads of 12-14M sized files or just megs of cookies, happening simultaneously?

    1. Either it happens from a single IP address and it’s trivial to stop using stick-tables, or it happens from many and it’s a regular DDoS, meaning you have to deal with it like any regular DDoS (ie: adapt to each and every situation). In all other cases, a valid request is properly dealt with (since the analysis only covers the first buffer), so a valid client filling 16kB of buffer at only 1.6 kB per second will still be allowed to pass with the 10s timeout (otherwise increase it). An attacker trying to abuse this will require a huge network bandwidth : in order to maintain 100k concurrent connections busy, it will need to send at least 160MB of HTTP payload per second, or about 1.5 Gbps of upload bandwidth. A lot of much easier attacks can already performed with such resources.

Leave a Reply

Your email address will not be published. Required fields are marked *