Check Point Advisories

Web Servers HTTP POST Denial of Service

Vulnerability
Protection

Check Point Reference:	CPAI-2013-1687
Date Published:	1 Jul 2013
Severity:	High
Last Updated:	Tuesday 23 April, 2024
Source:
Protection Provided by:	Security Gateway R75 R71 R70
Who is Vulnerable?	Multiple web servers
Vulnerability Description	A denial of service vulnerability has been reported in multiple web servers.
Vulnerability Details	Remote attackers can exploit this issue by rapidly sending the target a large number of HTTP POST requests with an overly large Content-Length header value. The attack can be initiated from one or more sources (DDoS). Successful exploitation can result in a denial of service condition on the affected server.

Protection Overview

IPS will detect and block specially crafted HTTP requests sent to the server.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.

Security Gateway R75 / R71 / R70

In the IPS tab, click Protections, find the Web Servers HTTP POST Denial of Service protection using the Search tool and double-click on the protection.
In the Protection Details window, select the required profile and click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect), and configure the protection to your requirements:

Limit the number of incoming HTTP POST requests sent to the same destination IP
Limit the period of time for the arrival of set number of HTTP POST requests
Limit the max value for the Content-Length within incoming HTTP POST requests (< 4200000000)
For DDoS attacks, check only the destination IP

SmartView Tracker will log the following entries:
Attack Name: Web Server Enforcement Violation
Attack Information: Web Servers HTTP POST Denial of Service