Hi Chris,
I actually found your article and tried to make a simpler version of the ruleset.

But still, in case of continuous requests the collection
ip[192.168.0.1].blocked = 1
never expires.


Here's my ruleset:

SecAction initcol:ip=%{REMOTE_ADDR},nolog
SecAction initcol:user=%{REMOTE_ADDR},nolog

SecRule REQUEST_URI '^/api/api.php$' \
        "log,setvar:ip.request_counter=+1,deprecatevar:user.count=100/5"

SecRule IP:REQUEST_COUNTER "@gt 3" \
        "log,setvar:user.count=+1,setvar:ip.request_counter=0"

SecRule USER:COUNT "@gt 1" \
        "log,setvar:ip.blocked=1,expirevar:ip.blocked=5"

SecRule IP:BLOCKED "@gt 0" \
        "log,drop,msg:'API Flood Attempt'"



Thanks,
Matt:e



On Fri, Dec 10, 2010 at 9:35 AM, Christian Bockermann <chris@jwall.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Matteo,

you might want to have a look at this:

       https://secure.jwall.org/blog/2009/07/19/1248004300834.html

Regards,
   Chris

Am 10.12.2010 um 09:28 schrieb Matteo:

> Hello,
> I'm currently trying to put together a proof of concept to limit the number of calls directed to an API.
>
> Here's the simple rule I put in place:
>
> SecAction initcol:ip=%{USER},nolog
> SecRule REQUEST_URI '^/api/api.php$' \
>         "nolog,setvar:ip.api_ddos=+1,deprecatevar:ip.api_ddos=100/10"
> SecRule IP:API_DDOS "@gt 2" \
>         "log,drop,msg:'Api Flood Attempt'"
>
>
> The problem is deprecatevar depends on the LAST_UPDATE_TIME of a collection, which is set to the current time for every incoming request.
> This rule will never work if the user keeps on making requests to the API.
>
> Has anybody had the same problem and found a good approach?
>
>
> Thanks,
> Mattie
> ------------------------------------------------------------------------------
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Appliances, Rule Sets and Support:
> http://www.modsecurity.org/breach/index.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFNAeZTpc5/RcXDlTwRAsJmAJ47WtTmfkIjkm7zmDUjEvMD8aEg+gCfel97
JEUdusZ9aV0n9OjfkQyDWjc=
=oPB3
-----END PGP SIGNATURE-----