- DoS coverage: 6 of the 8 slow-playbook tests demonstrated actionable DoS exposure: slowloris (Portal/z2__DoS_singleMachine_SLOW/reports/2_blockMode/slowloris-report.md:1),
staged R.U.D.Y uploads (…/rudy-report.md:1), slow-read dispatcher drain (…/slowread-report.md:1), raw TCP connection flood (…/tcpConnFlood-report.md:1), persistent HTTPS keep-
alives (…/persistentHttps-report.md:1), and the MUFG-style slow upload (…/slowUpload-report.md:1). The TLS handshake stress and 50 RPS configRefresh hammer did not uncover a
weakness—TLS handshakes completed cleanly (…/tlsHandshake-report.md:1), and the API flood was blocked outright (…/apiFlood-report.md:1). - Protection posture: Current ModSecurity/Apache defenses only police high-rate, fully completed requests. Anything that keeps a socket half-open (slowloris, R.U.D.Y, slow-read,
idle TCP/TLS sessions, multipart drips) bypasses the per-minute counter entirely, so a single client can starve Apache workers and downstream servlets. The API DoS rule, on
the other hand, is so aggressive that even a moderate 50 RPS burst is rejected within seconds, suggesting a “hard block” that could also impact legitimate maintenance jobs. TLS
handshake capacity is healthy at ~9–10 negotiations/sec, but there is no admission control at the TLS layer, so higher rates would rely purely on raw CPU headroom. - Real-world impact: Because most of these vectors tie up resources without ever finishing a request, an attacker with minimal bandwidth can exhaust Portal’s thread pools while
staying under WAF radar—slowloris and slow uploads can immobilize EncryptUtility/dispatcher threads for minutes, preventing real customers from submitting documents or viewing
pages. The idle TCP/HTTPS tests show that even basic connection-flood tools can fill the listener queues before ModSecurity evaluates anything, giving volumetric attackers
a low-effort path to disruption. Meanwhile, the overzealous API DoS rule means defenders risk self-inflicted outages: any legitimate automation burst near 50 RPS would be
blocked, yet attackers can simply shift to low-and-slow tactics that the rule set ignores. Overall, the system remains highly vulnerable to starvation-style DoS despite recent
WAF tuning—current defenses mostly stop fast, high-RPS floods while leaving the more common “slow and resource-hungry” patterns wide open.
You are viewing a single comment's thread from: