The number of allowed simultaneous requests will be limited for web sites.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-2240 | WG110 | SV-2240r6_rule | DCBP-1 | Medium |
| Description |
|---|
| Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests per IP address and may include, where feasible, limiting parameter values associated with keepalive, (i.e., a parameter used to limit the amount of time a connection may be inactive). |
| STIG | Date |
|---|---|
| Web Server STIG | 2010-10-07 |
Details
| Check Text ( C-29061r1_chk ) |
|---|
| The reviewer will query the IAO, the SA, the web administrator, or developers as necessary to determine if the web server is configured to permit an unlimited number of HTTP requests. Not all web servers have this capability. If the web server you are reviewing cannot be configured to limit HTTP requests, mark this check as Not Applicable. Ask the web administrator to provide you with the number of HTTP requests the server is configured to accept. The provided number indicates an HTTP request limitation and satisfies the requirement. If the web administrator cannot provide this information, this is a finding. |
| Fix Text (F-26067r1_fix) |
|---|
| Configure the web server to limit the number of HTTP requests. |