4D Web Server vs Qualys testing

Our IT support has been running Qualys tests internally on our network which include hitting any web servers they can find. The tests are able to bring the 4D Server to its knees, with a few dozen web processes running. We’re filtering On Web Connection for legitimate requests, but it seems to be too late by then. (Or else our filters aren’t quite right.)

In production, we have an Apache server as reverse proxy, and nothing is getting past that.

Does anyone have suggestions on how to handle this sort of thing?

4D Server v17.3hf3

Thanks,

Jim

Jim,

We had this very same problem with a customer and we got around it by putting logic in our system to determine if the request is valid (same as you) and if it’s not valid we shut the web server off for a period of 5 minutes (configurable).

I’m not saying this is the best way, but it was the only option we could make work. We never told them how our change worked, we simply did this and did not have a problem afterwards.

Best,

Steve

Does limiting the max. number of web processes help?

The default is 100 but I suspect it is not really the number of concurrent processes that is hurting the web server, but rather, intentionally malformed requests (false content-length, etc.).

WEB SET OPTION(Web max concurrent processes;$max)

normally you are supposed to have an application firewall protecting any application server. This firewall can be before or after the web server. In that case you would run a proxy server, such as Nginx, before 4D Server, allowing 4D only to get access from this proxy, which is already protected.

This is not only true for 4D, but the normal way to work for any application server.

On 4D side you can try to reduce impact, but only reduce.
As Keisuke wrote, you can limit the number of parallel access.
Don’t forget to limit the largest allowed upload. 4D by default allows 2 GB upload. Now imagine only 20 processes requesting a 2 GB upload - 40 GB RAM blocked, computer blocked…
If you don’t need large file upload, limit that to 1 MB or similar.

Then you need to check if parameter you receive for valid data and reject stupid requests.
Sorting by street name? Could take a while for not indexed fields for large selections, so don’t allow it. And so on. You need to create a white list of allowed answers.

Looks like a lot of work? Yes, that’s normally the job of an application firewall, allowing only good requests, refusing stupid (=need too much time) requests.

If your Web server code is not yet running preemptive, you need to be even more restrictive.

Thanks for the ideas.

Done:

  • Running reverse proxy (in this case we are running the internal Qualys attacks!)
  • Filtering requests (but maybe some things are slipping through)
  • Not running any time consuming code on request

To do:

  • Limit max number of web process
  • Limit size of uploads
  • Run web server preemptive