Re: [mod-security-users] mod_sec rule for hash collision DoS

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 12/29/11 3:46 AM, "Josh Amishav-Zlatin" <ja...@gm...> wrote:

>On Thu, Dec 29, 2011 at 8:00 AM, Robert Rowley <ro...@ro...>
>wrote:
>> I couldn't find where to recommend rules for the CRS but wanted to get
>> this out there:
>>
>> With this morning's interesting re-release of hash collision denial of
>> service attacks[1][2] I found it trivial easy to implement a
>> preventative "band-aid" with mod_sec. And really, trivial is  an
>> understatement:
>>
>> SecRule &ARGS "@gt 1000" deny
>
>Hi Robert,
>
>The CRS already has rules to limit the number of parameters in a
>request. The modsecurity_crs_10_config.conf initially configures the
>threshold:
>
>  ## Maximum number of arguments in request limited
>  SecAction
>"phase:1,id:'981211',t:none,nolog,pass,setvar:tx.max_num_args=255"
>
>The modsecurity_crs_23_request_limits.conf file adjusts the anomaly
>score when the request has more then the defined number of parameters:
>
>  SecRule &ARGS "@gt %{tx.max_num_args}"
>"t:none,setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%
>
>{tx.notice_anomaly_score},setvar:tx.policy_score=+%{tx.notice_anomaly_scor
>e},setvar:tx.%{rule.id}-
>  POLICY/SIZE_LIMIT-%{matched_var_name}=%{matched_var}"
>
>> Now, the good question the above rule doesn't catch cookies. Will
>> {COOKIES_COUNT "@gt 1000"} work in 2.x? (I see this variable was
>> introduced back in 2005 with mod_sec 1.9)
>
>In ModSec 2.x you can count the number of cookies submitted by using
>the & operator, e.g:
>
>SecRule &REQUEST_COOKIES_NAMES "@gt 1000" phase:1,t:none,block
>
>--
> - Josh

We should probably add this default limit for # of Cookies too.

-Ryan

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.