Re: [mod-security-users] Apache hang on https protocol violation
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-06-24 17:18:36
|
Nicola, I need to be able to duplicate this problem. Would you please send your settings for Apache and modsecurity? For ModSecurity, I need your config settings (usually in modsecurity_crs_10_config.conf) and which other files you are including. For Apache I at least need these: 1. Output from "httpd -V" and "httpd -l" 2. Values for the following directives: ServerLimit StartServers MaxClients MinSpareThreads MaxSpareThreads ThreadsPerChild MaxRequestsPerChild MaxRequestsPerThread KeepAlive KeepAliveTimeout 3. As well as your config for proxying (Balancer, ProxyPass, etc)? 4. Additionally, your entire error_log at at least level "info" (cleared before the test), the server-status output during (or near) the hang and CPU/Mem usage stats during the test would be nice as well. thanks, -B Ivan Ristic wrote: > Hi Nicola, > > We'll have to try to reproduce your problem somehow, as it doesn't > happen in my tests. I've been using ab constantly over the years for > testing, and I don't recall any problems either. > > Are you using mlogc or any other mechanism to transmit alerts elsewhere? > > > On Mon, Jun 23, 2008 at 2:51 PM, Nicola Bianchi > <bia...@gm...> wrote: >> Hi people, >> I'm a new modsecurity user and I've a problem which maybe some of you can >> resolve ;). >> >> My configuration is: reverse proxy (http/https) with apache 2.2.9 and >> modsecurity 2.5.5 (core rules 2.5-1.6.1) on Linux SUSE SLES10. >> Hardware: 2CPU dual core Intel(R) Xeon(R) @ 2.33GHz, 4GB of RAM >> >> If I try this benchmark all work fine, without problem: >> ab -k -c 200 -n 8000 http://www.mysite.com/ >> ab -k -c 200 -n 8000 https://www.mysite.com/ >> >> ... no lost requests, no particular delay. >> >> The problem come out if I try to do a "DOS attack" pointing directly > to the >> ip address of mysite in https >> After few request (~200) apache hang and stop responding ... >> >> ab -k -c 200 -n 8000 https://192.168.168.100/). >> > ############################################################################# >> # This is ApacheBench, Version 2.3 <$Revision: 655654 $> >> # Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ >> # Licensed to The Apache Software Foundation, http://www.apache.org/ >> # >> # Benchmarking 192.168.168.100 (be patient) >> # Completed 200 requests >> # apr_poll: The timeout specified has expired (70007) >> # Total of 272 requests completed >> > ############################################################################# >> >> Here an extract from the logs: >> > ############################################################################# >> Jun 23 14:31:47 ulxbwaf httpd[8103]: [error] [client 192.168.168.168] >> ModSecurity: Access denied with code 400 (phase 2). Pattern match >> "^[\\d\\.]+$" at REQUEST_HEADERS:Host. [file >> > "/opt/jail/opt/waf/mod_security/prod/conf/core_rules/modsecurity_crs_21_protocol_anomalies.conf"] >> [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] >> [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"] [hostname >> "192.168.168.100"] [uri "/"] [unique_id "SF@XssIL0NIAAB@ncMAAAACI"] >> > ############################################################################# >> >> If I turn off modsecurity (SecRuleEngine Off) and I repeat the test I > don't >> have problem! >> If I disable the specific rule (SecRuleRemoveById "960017") all work fine! >> >> So, have you some idea about this issue? >> How can I prevent this kind of "DOS attack"? >> >> Thanks a lot! Regards >> Nick >> >> PS: sorry for my ridicolous english ;) >> >> ------------------------------------------------------------------------- >> Check out the new SourceForge.net Marketplace. >> It's the best place to buy or sell services for >> just about anything Open Source. >> http://sourceforge.net/services/buy/index.php >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> >> > > > > -- > Ivan Ristic > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > -- Brian Rectanus Breach Security |