Implement Slowloris DoS Attack Protection for API Server #308
Description
User Story
As a system administrator, I want the API server to be protected against Slowloris denial of service attacks so that the application remains available and responsive to legitimate users even under attack conditions.
Description
DeepSource has identified a security vulnerability (issue GO-S2112) in the konsulin-api repository where the server is susceptible to Slowloris DoS attacks. Slowloris attacks exploit the way web servers handle concurrent connections by sending partial HTTP requests slowly, keeping connections open and eventually exhausting the server's connection pool. This prevents legitimate users from accessing the service while requiring minimal resources from the attacker.
Reference
- DeepSource Issue: GO-S2112 Occurrences
- Total occurrences identified: 1
- OWASP Slowloris Attack Overview: https://owasp.org/www-community/attacks/Slowloris
Notes:
- Implement appropriate timeouts for request headers and body reads (ReadHeaderTimeout, ReadTimeout, WriteTimeout)
- Consider setting reasonable limits on concurrent connections per IP address
- Review current server configuration in the affected code location
- Test the fix by simulating a Slowloris attack in a safe environment before deploying
- Ensure timeout values balance security with legitimate use cases (e.g., slow mobile connections)
- Document the chosen timeout values and rationale in code comments
- Consider implementing rate limiting as an additional layer of protection
- Verify that the solution does not negatively impact API performance or legitimate slow clients