Slow HTTP DoS Attacks Mitigation

Summary

An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker.

Affected Products

The admin webUI of following products/versions are impacted: The admin webUI of following products/versions are impacted: The admin webUI of following products/versions are impacted: The admin webUI of following products/versions are impacted: FortiOS versions 6.2.2 and below FortiOS versions 6.2.2 and below FortiOS versions 6.2.2 and below FortiOS versions 6.2.2 and below FortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2 FortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2 FortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2 FortiSwitch versions below 3.6.11, 6.0.6 and 6.2.2 FortiAnalyzer all versions below 6.2.3 FortiAnalyzer all versions below 6.2.3 FortiAnalyzer all versions below 6.2.3 FortiAnalyzer all versions below 6.2.3 All 6.4.x verions of FortiAnalyzer All 6.4.x verions of FortiAnalyzer All 6.4.x verions of FortiAnalyzer All 6.4.x verions of FortiAnalyzer FortiAnalyzer all versions below 7.0.4 FortiAnalyzer all versions below 7.0.4 FortiAnalyzer all versions below 7.0.4 FortiAnalyzer all versions below 7.0.4 FortiAnalyzer version 7.2.0 FortiAnalyzer version 7.2.0 FortiAnalyzer version 7.2.0 FortiAnalyzer version 7.2.0 FortiManager all versions below 6.2.3 FortiManager all versions below 6.2.3 FortiManager all versions below 6.2.3 FortiManager all versions below 6.2.3 FortiAP-S/W2 versions below 6.2.2 FortiAP-S/W2 versions below 6.2.2 FortiAP-S/W2 versions below 6.2.2 FortiAP-S/W2 versions below 6.2.2

Solutions

The following products/versions have implemented counter-measures: The following products/versions have implemented counter-measures: The following products/versions have implemented counter-measures: The following products/versions have implemented counter-measures: Upgrade to FortiOS 6.2.3 Upgrade to FortiOS 6.2.3 Upgrade to FortiOS 6.2.3 Upgrade to FortiOS 6.2.3 Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2 Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2 Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2 Upgrade to FortiSwitch 3.6.11, 6.0.6 or 6.2.2 Upgrade to FortiAnalyzer 7.2.1 Upgrade to FortiAnalyzer 7.2.1 Upgrade to FortiAnalyzer 7.2.1 Upgrade to FortiAnalyzer 7.2.1 Upgrade to FortiAnalyzer 7.0.4 Upgrade to FortiAnalyzer 7.0.4 Upgrade to FortiAnalyzer 7.0.4 Upgrade to FortiAnalyzer 7.0.4 Upgrade to FortiAnalyzer 6.2.3 Upgrade to FortiAnalyzer 6.2.3 Upgrade to FortiAnalyzer 6.2.3 Upgrade to FortiAnalyzer 6.2.3 Upgrade to FortiManager 6.2.3 Upgrade to FortiManager 6.2.3 Upgrade to FortiManager 6.2.3 Upgrade to FortiManager 6.2.3 Upgrade to FortiAP-S/W2 6.2.2 Upgrade to FortiAP-S/W2 6.2.2 Upgrade to FortiAP-S/W2 6.2.2 Upgrade to FortiAP-S/W2 6.2.2 When supported, configuring trust hosts for system administrators is a workaround, assuming those hosts are trusted to not initiate an attack. When supported, configuring trust hosts for system administrators is a workaround, assuming those hosts are trusted to not initiate an attack. When supported, configuring trust hosts for system administrators is a workaround, assuming those hosts are trusted to not initiate an attack. When supported, configuring trust hosts for system administrators is a workaround, assuming those hosts are trusted to not initiate an attack.

Acknowledgement

Fortinet is pleased to thank Independent research team Denis Kolegov, Maxim Gorbunov, Nikita Oleksov and Anton Nikolaev for reporting this vulnerability under responsible disclosure.