Fortinet 5.0 Patch 6 HTTP sessions & security

Fortinet 34 FortiWeb 5.0 Patch 6 Administration Guide

HTTP sessions & security

The HTTP 1.1 protocol itself is stateless (i.e., has no inherent support for persistent sessions).

Yet many web applications add sessions to become stateful.

Why?

What is a session? What is statefulness?

How do they impact security on the web?

Sessions are a correlation of requests for individual web pages/data (“hits”) into a sense of an

overall “visit” for a client during a time span, but also retain some memory between events.

They typically consist of a session ID coupled with its data indicating current state.

Classic examples include logins, showing previously viewed items, and shopping carts.

The reason why HTTP applications must add sessions is related to how software works:

software often changes how it appears or acts based upon:

• Input you supply (e.g. a mouse click or a data file)

• System events (e.g. time or availability of a network connection)

• Current state (i.e. the product of previous events — history)

Slowloris Slowly but steadily consumes all available

sockets by sending partial HTTP requests sent

at regular intervals. Each HTTP header is never

finished by a new line (/r/n) according to the

specification, and therefore the server waits for

the client to finish, keeping its socket open.

This slowly consumes all sockets on a web

server without a noticeable spike on new

TCP/IP connections or bandwidth.

Not all web servers are vulnerable, and

susceptibility can vary by configuration. Default

Apache configurations may be more vulnerable

than a server like nginx that is designed for

high concurrency.

Header Length

Number of Header Lines In

Request

Real Browser Enforcement

Persistent Server Sessions

SYN flood Sends a stream of TCP SYN packets. The

target server acknowledges each SYN and

waits for a response (ACK). Rather than

respond, the attacker sends more SYN

packets, leaving each connection half-open,

not fully formed, so that it may not register on

systems that only monitor fully formed

connections. Since each half-formed

connection requires RAM to remember this

state while awaiting buildup/tear-down, many

SYN signals eventually consume available RAM

or sockets.

Syn Cookie

Tabl e 3 : DoS-related threats

Attack

Technique

Description FortiWeb Solution