I have an ASP.NET site running under IIS 8.5 on Windows 2012 R2.
I'm trying to use the MinBytesPerSecond configuration setting (in applicationHost\WebLimits) as part of a strategy to mitigate slow HTTP POST attacks but can't seem to get IIS to respect the value. I've tried with default 240 bytes/sec plus much higher values.
I'm using OWASP/ProactiveRISK's SwitchBlade to trickle a POST body at 1 byte/sec to the server but cannot get it to drop the connection.
The use of MinBytesPerSecond is recommended in a number of articles on the web relating to slow DOS attacks and so I am surprised I am having difficulty. I have restarted IIS after each setting change just in case.
Could this setting be monitored by another process which might not be running?
Any ideas, things to consider or alternatives greatly appreciated.
EDIT:
Just noted this in the IIS config reference here, minBytesPerSecond...
Specifies the minimum throughput rate, in bytes, that HTTP.sys enforces when it sends a response to the client. The minBytesPerSecond attribute prevents malicious or malfunctioning software clients from using resources by holding a connection open with minimal data. If the throughput rate is lower than the minBytesPerSecond setting, the connection is terminated.
Does this mean that this setting only applies to the rate at which the response is returned i.e. could only be used against slow reads - does anyone have any knowledge or experience of minBytesPerSecond working for them?
Thanks.