Hi Christian,

The SecReadStateLimit is not only a threshold for ip address. It is looking for an "anomaly" in connection process. So if you are behind a proxy or a NAT only the bad connections will be dropped. The good ones will pass normally. So legit connections behind the proxy will works fine.



On Wed, Nov 24, 2010 at 1:17 AM, <christian.folini@post.ch> wrote:
Hi Ryan,

Nice post. Thanks. Especially the combination of mod_reqtimeout and ModS
is very elegant in my eyes.

I am not so happy with SecReadStateLimit looking only at the IP address.
How do protect proxies from your countermeasures? A proxy might share multiple
hundred legitimate connections with your server for multiple hundred legitimate
clients, all appearing to come from the same IP address.



-----Ursprüngliche Nachricht-----
Von: owasp-modsecurity-core-rule-set-bounces@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-bounces@lists.owasp.org] Im Auftrag von Ryan Barnett
Gesendet: Mittwoch, 24. November 2010 02:45
An: mod-security-users@lists.sourceforge.net; owasp-modsecurity-core-rule-set@lists.owasp.org
Betreff: [Owasp-modsecurity-core-rule-set] Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks

This week's blog post -


Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs

Owasp-modsecurity-core-rule-set mailing list

Increase Visibility of Your 3D Game App & Earn a Chance To Win $500!
Tap into the largest installed PC base & get more eyes on your game by
optimizing for Intel(R) Graphics Technology. Get started today with the
Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs.
mod-security-users mailing list
Commercial ModSecurity Appliances, Rule Sets and Support: