CRLF tags to avoid SLOW HTTP Post attack,CRLF- Slow HTTP Post Attack fix

I am trying to mitigate a SLOW HTTP Post attack on my server by adding CRLF tags to the API headers and request body to not allow the connection to be open.

I need to know how to add the API policy for adding CRLF tags. I have looked into the forum but couldn't find much references on this.

I am new to this platform so kindly be specific regarding the details.

,

Hi,

I need to mitigate a SLOW HTTP Post attack when a request arrives to the APIGEE gateway.I am trying to add CRLF tag at the end of headers and a post request to not make the connection open for such attacks.

I need to know what policies to set and what to add in each policy to achieve it? I looked in this forum but couldn't find any references for the same.

0 4 340
4 REPLIES 4

If you have HTTP streaming disabled (see https://docs.apigee.com/api-platform/develop/enabling-streaming ) and your backend accepts traffic only from Apigee (ie, Southbound mTLS authentication, IP Whitelisting) then Apigee is already protecting you by default.

If you have solid reason to believe otherwise (eg, Pen test findings), then please raise a support case so that we can analyse the evidence.

Hi,

Thank you for your response. Do you have any documentation that provides the evidence that CRLF tags are added automatically?

Also, we need to enable the header limit for the incoming request and we need help on the same.

CRLF tags won't be added automatically. Slow HTTP attacks work by making the webserver wait a very long time for the rest of the body (which would include the CRLFs). However, such an attack would never reach your backend because the *entire* request, including CRLFs, is parsed in Apigee before it is sent to the backend. If the request never completes, it's never sent to the backend and your backend never knows the request even happened (again, assuming streaming is disabled).

Worst case, Apigee ends up waiting a very long time for a request that never finishes. Assuming you're on Apigee cloud that's Apigee's problem, not yours. Even if you're on-prem, you're still protecting your backend and the default settings (eg, timeouts) on your Apigee routers should be sufficient to protect your service.

Not applicable

You can use javascript, or python or javacallout or assignmessage policy to add crlf. I noticed during basic-authentication this issue. I added a restriction using python script to reverse encode and validate.