Lead Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
I would think this would be a fairly common need, but I haven't found any solutions for it:
1. Prevent a given IP from accessing resources more than n/time_period.2. Only protect requests to server-side scripts (the more "expensive" ones), while ignoring requests of static assets (js, css, png, etc.).3. Accommodate even HTTPS requests.
dos_evasive and iptables* solutions seem to take care of 1 & 3, but not 2.
The only DoS writeups I've seen for ModSecurity have been evasion tactics for slow DoS attacks, but not fast ones.
Is there a solution possible in ModSecurity?
A. Put static assets on another virtual host, so those can have different rules.B. Build something into the early stage of the application layer's request handling.
I'd like to make sure there isn't some pre-app-layer solution before pursuing A or B, though.
*iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit-name single_ip_throttle --hashlimit-upto 3/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-htable-expire 5000 -j ACCEPT