Yes I think that is a kind of botnet. 

I understood the problem, and I thought that dropping connections was the best way, but i didn't realize that it could be interpreted as a overload of the server, you are right. 

I will use that setting, and monitor how the server performs.

Thank you very much for your advise. I really appreciate that.

Best regards

Alejandro


2013/2/16 Reindl Harald <h.reindl@thelounge.net>


Am 16.02.2013 17:26, schrieb Alejandro Casagrande:
> I don't know why you are being so rude.

because you do not try to undersatnd the problem?

> I know that should return 403 code

so do it

> but that generates output traffic

not a relevant amount

> using mod_security I want to drop this connection, with the configuration that i'm using is doing that,
> but if you consider that is not right what i'm doing, I will apply your suggestions

you said it is a large amount of IP's
well, that sounds like a botnet
they found your machine open as proxy and started using it

after they get enough 403 responses they will go away
dropping connections may be interpreted as "overloaded" wgile
a "403 forbidden" clearly indicated you have fixed your config

if you are closing the connection you risk that they try much
longer to use your server as a proxy and overload you with
incoming traffic and syn-floods as if you respond clearly
with a sign "creep away, my config is fixed"

> The VPS has preinstalled apache, and I was not quick enough to realize this problem. That was my mistake and I'm
> working to have the best solution.

the best solution is to have a sane config and sit
this out as they will stop trying over time without
success

> It seems that i'm bothering in this list, if so I will quit this list and every body happy, I just was looking for
> some useful advice, not being insulted.
>
> I'm very sorry for bothering with my emails.

nobody said that

but if you are advised to fix the config and how and the
apache documentation states that this is correct you should
not try to break the HTTP procotol because it will not help
you

> 2013/2/16 Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
>
>     Am 16.02.2013 16:35, schrieb Alejandro Casagrande:
>     > Hi Reindl, I really appreciate your suggestions. Yes I put ProxyRequest Off in the redirection to jetty.
>     >
>     > However, in the default vhost I think that I need proxyrequest on, because if I don't have that Apache responds
>     > when a proxy request attempt is done, returning 403 code. I don't want that apache responds to that request,
>     > instead I want the connection dropped. I'm doing this with the vhost below, and mod_security is dropping the
>     > connection.
>
>     do yhat you want if you are thinking you are smarter as people
>     with a lot of production servers, evens as the apache developers
>     itself which are saying clearly DISABLE THIS BULLSHIT
>
>     the HTTP proctocol is designed to respond with a status-code
>     and if you would not have been so stupid at the begin allow
>     proxy requests you would not have all this connections which
>     will sooner or later stop if they recognize taht it is no
>     longer possible and this is one reason more respond with 403
>
>     your problem is generally on the wrong mailing-list because
>     a misconfiuration of httd has nothing to do with modsec which
>     should be a FALLBACK and not to fix misconfiguration
>     ____________________________
>
>     http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyrequests
>
>     Warning
>     Do not enable proxying with ProxyRequests until you have secured your server.
>     Open proxy servers are dangerous both to your network and to the Internet at large.
>
>     This allows or prevents Apache from functioning as a forward proxy server.
>     (Setting ProxyRequests to Off does not disable use of the ProxyPass directive.)


------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/




--
Ing. Alejandro Casagrande
Advenio Software
http://www.advenio.com.ar