Fortinet 613 FortiWeb 5.0 Patch 6 Administration Guide
buffer could result in many false positives during normal use. Such false positives are to be
avoided because the flood of information could distract you from real attacks.
In terms of attacks, large DoS attacks from a single attacker are impractical: if the attacking host
must consume its own bandwidth or CPU faster than the web server can process it, the attack
won’t work. Therefore DoS request traffic is unlikely to be oversized.
Determined attackers, though, often craft oversized requests to mask an exploit. Tact ics
to pad an attack with harmless data in order to push the payload beyond the scan buffer are
popular with more knowledgeable APT attackers, and with black hat researchers crafting exploit
packages for Metasploit and other tools that ultimately land in the hands of script kiddies.
Similar to buffer overflow attacks, these padded attacks attempt to bypass and exploit inherent
limits. If a request cannot fit into the buffer, it might be a padded attack.
If your web applications do not require oversized requests to work, you can toughen
security by blocking oversized requests. Configure HTTP constraints with Malformed
Request etc. (see “HTTP/HTTPS protocol constraints” on page 440). Also configure exceptions
for URLs that require you to ignore the buffer limitations, such as music or movie uploads.
To determine your appropriate HTTP constraints, first observe your normal traffic. Compare it
with FortiWeb’s buffer counts and maximum sizes.
Table 57:FortiWeb buffer configuration
Buffer Limit Block oversized requests using
URL size, excluding appended
parameters and the parameter delimiter
( ? ) (e.g. /path/to/app)
Usually 2 KB Malformed Request
URL parameters’ total size Cache Total URL and Body Parameters
Length
URL parameter’s individual size Configurable
(see
http-cach
esize in the
FortiWeb
CLI
Reference)
Malformed Request
Number of parameters 64 Malformed Request
HTTP header lines’ total size 4 KB Header Length
HTTP header line’s individual size Cache Header Line Length
Number of HTTP header lines 32 Number of Header Lines In Request
Cookies’ total size 2 KB Malformed Request
Number of cookies 32 Number of Cookies In Request
Adobe Flash (AMF) parameters’ total
size
Cache Total URL Parameters Length
Number of Adobe Flash (AMF)
parameters
32 Malformed Request