Re: [mod-security-users] written but not tested much - POST needs referer header - Slowloris POST D
Brought to you by:
victorhora,
zimmerletw
From: Jamie R. <jam...@gm...> - 2013-11-20 10:48:59
|
On 20 November 2013 10:31, Reindl Harald <h.r...@th...> wrote: > > Am 20.11.2013 10:53, schrieb Jamie Riden: >> I wrote this for a client who was undergoing a DDoS - a POST-based >> Slowloris as far as I can tell. > > Slowloris should be catched with a packetfilter (iptables) > Slowloris is based on a abusive number of connections > nothing you want have to go to the application layer at all You are right - but I didn't architect the network, and I have to work with what's available. >> I've tested this against their pcaps, but don't have any "good" >> traffic to ensure it doesn't have false positives - but my guess is it >> should be sensible for most configurations. But please test before >> deploying :) >> >> Even if you have some FPs, it may be better than getting DDoSed. > > a very bad idea, you hurt every user which does not send referer for > privacy reasons and if someone is really attacking you it's easy > to send you a "sensible" referer header with your domain That's interesting - I didn't know that Referer was turned off for privacy reasons - especially intra site. thanks, Jamie -- Jamie Riden / ja...@ho... / jam...@gm... http://uk.linkedin.com/in/jamieriden |