The application server must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35434	SRG-APP-000245-AS-000163	SV-46721r1_rule		Medium

Description
Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases as does the system's risk of becoming more susceptible to DoS attacks. The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the AS provides configuration options that limit the number of allowed concurrent HTTP connections.

Description

Employing increased capacity and bandwidth combined with service redundancy can reduce the susceptibility to some DoS attacks. When utilizing an application server in a high risk environment (such as a DMZ), the amount of access to the system from various sources usually increases as does the system's risk of becoming more susceptible to DoS attacks. The application server must be able to be configured to withstand or minimize the risk of DoS attacks. This can be partially achieved if the AS provides configuration options that limit the number of allowed concurrent HTTP connections.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43788r1_chk )
Review AS documentation and configuration to determine if the AS can be configured to limit the number of concurrent connections. If the AS cannot be configured to limit the number of concurrent HTTP connections, this is a finding.

Fix Text (F-39978r2_fix)
Configure the AS to limit the number of concurrent HTTP sessions.