You can use the ModSecurity rules to ignore static content and then run your app-layer DoS rules.

Ryan Barnett

Lead Security Researcher, SpiderLabs

 

Trustwave | SMART SECURITY ON DEMAND

www.trustwave.com


From: Jamie Jackson <jamiejaxon@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Friday, March 28, 2014 11:37 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: [mod-security-users] DoS Evasion

I would think this would be a fairly common need, but I haven't found any solutions for it:

1. Prevent a given IP from accessing resources more than n/time_period.
2. Only protect requests to server-side scripts (the more "expensive" ones), while ignoring requests of static assets (js, css, png, etc.).
3. Accommodate even HTTPS requests.

dos_evasive and iptables* solutions seem to take care of 1 & 3, but not 2.

The only DoS writeups I've seen for ModSecurity have been evasion tactics for slow DoS attacks, but not fast ones.

Is there a solution possible in ModSecurity?

Alternatives:

A. Put static assets on another virtual host, so those can have different rules.
B. Build something into the early stage of the application layer's request handling.

I'd like to make sure there isn't some pre-app-layer solution before pursuing A or B, though.

Thanks,
Jamie

*iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m hashlimit --hashlimit-name single_ip_throttle --hashlimit-upto 3/second --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-htable-expire 5000 -j ACCEPT



This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.