Hello, everyone

    we use modsecurity 2.6 protect against dos attack for some specific pages.
This is the  rule. I test it in my box, it works. But when in some product environment(3000 concurrent connections in worker MPM), it failed.
In the early time I use expiredvar:dos_block every 1800 seconds, as the modsecurity docs suggests. I found the var "dos_block" expired within 1-10 second(I dump the resource db),not 1800. So I changed it with deprecatevar.
But it does not works too.
Does it because of the concurrent problem? 

Thanks.


----------------------------------------------------------------

SecRule REQUEST_URI "^/login.php" \
        "phase:1,capture,t:lowercase,t:urlDecodeUni,pass,nolog,setvar:tx.dos_uri=%{TX.1},skip:1"
SecAction "phase:1,pass,nolog,skipAfter:Dos_Marker"





SecAction "phase:1,pass,nolog,t:none,setvar:tx.real_ip=%{REMOTE_ADDR}"
SecAction "phase:1,nolog,initcol:resource='%{tx.real_ip}/'"



SecRule RESOURCE:SHOULD_LOG "@eq 1" "phase:1,pass,nolog,setvar:resource.should_log=0,skip:2"

#already blocked, nolog here
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
                "phase:1,deny,nolog,severity:'2',status:403,deprecatevar:resource.dos_blocked=1/1800,skipAfter:Dos_Marker"

SecAction "phase:1,pass,nolog,skip:1"

#log version, logdata is real client ip
SecRule RESOURCE:DOS_BLOCKED "@eq 1" \
                     "phase:1,deny,log,auditlog,severity:'2',msg:'99010',id:'99010001',tag:'9901',status:403,deprecatevar:resource.dos_blocked=1/1800,logdata:%{tx.real_ip},skipAfter:Dos_Marker"

#counter++
SecAction "phase:1,nolog,setvar:resource.dos_request_counter=+1,deprecatevar:resource.dos_request_counter=10/60"


# if counter == max then block
SecRule RESOURCE:DOS_REQUEST_COUNTER "@ge 10" \
            "phase:5,nolog,setvar:resource.dos_request_counter=0,setvar:resource.dos_blocked=1,setvar:resource.should_log=1"

SecMarker Dos_Marker