Support User Manuals

Fortinet 5.0 Patch 6 Microscope & Magnifier User Manual

Open as PDF

of 705

Fortinet 613 FortiWeb 5.0 Patch 6 Administration Guide

buffer could result in many false positives during normal use. Such false positives are to be

avoided because the flood of information could distract you from real attacks.

In terms of attacks, large DoS attacks from a single attacker are impractical: if the attacking host

must co

nsume its own bandwidth or CPU faster than the web server can process it, the attack

won’t work. Therefore DoS request traffic is unlikely to be oversized.

Determined attackers, though, often craft oversized requests to mask an exploit. Tact

ics

to pad an attack with harmless data in order to push the payload beyond the scan buffer are

popular with more knowledgeable APT attackers, and with black hat researchers crafting exploit

packages for Metasploit and other tools that ultimately land in the hands of script kiddies.

Similar to buffer overflow attacks, these padded attacks attempt to bypass and exploit inherent

limits. If a request cannot fit into the buffer, it might be a padded attack.

If your web applications do not require oversized requests to work, you can toughen

secu

rity b

y blocking oversized requests. Configure HTTP constraints with Malformed

Request etc. (see “HTTP/HTTPS protocol constraints” on page 440). Also configure exceptions

for URLs that require you to ignore the buffer limitations, such as music or movie uploads.

To determine your appropriate HTTP constraints, first observe your normal traffic. Compare it

with FortiW

eb’s buffer counts and maximum sizes.

Table 57:FortiWeb buffer configuration

Buffer Limit Block oversized requests using

URL size, excluding appended

paramet

ers and the parameter delimiter

( ? ) (e.g. /path/to/app)

Usually 2 KB Malfor

med Request

URL parameters’ total size Cache Total URL and Body Parameters

Length

URL parameter’s individual size Configurable

(see

http-cach

e

size in the

FortiWeb

CLI

Reference)

Malformed Request

Number of parameters 64 Malformed Request

HTTP header lines’ total size 4 KB Header Length

HTTP header line’s individual size Cache Header Line Length

Number of HTTP header lines 32 Number of Header Lines In Request

Cookies’ total size 2 KB Malformed Request

Number of cookies 32 Number of Cookies In Request

Adobe Flash (AMF) parameters’ total

size

Cache Total URL Parameters Length

Number of Adobe Flash (AMF)

pa

ramet

ers

32 Malformed Request

previous next