Question

Slowloris DOS attack

0

Hi All, During the Security Audit, they listed one error on the Mendix Applications which is running on Windows IIS. It is as below Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.(CVE-2007-6750) Auditors are listed out all the ports which is applicable for each services. As per google, in apache we need to set "request timeout" parameter. But is Mendix, how to set the same. Need your guidelines to do the same.

asked 2025-03-12

Sudhir T

2 answers

Robert Price · Answer 1 · 2025-03-12

Apache and Windows IIS are two different web servers. Are you self-hosting your application on IIS?

To set a timeout on IIS, it looks like you need to set the executionTimeout to a sensible value. If it's 3 minutes (180 seconds), then you could use the following...

<system.web>
    <httpRuntime executionTimeout="180" />
</system.web>

https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.85).aspx

Good luck!

Sudhir T · Answer 2 · 2025-03-12

Hi Robert Price,

We have updated the web.config file.

Now we wait for auditor's review after the next run.

Thanks for timely help