Hi Christian,

Did you try to SecWriteStateLimit ? I think we can use a value like 150-250 and detect the attacks and maybe you will not see FPs.

When you say "active connections"  if i understand well the term you are using ... it is a established  connections right ? But it is not necessary a simultaneous SERVER_BUSY threads.

So don't think in SecWriteStateLimit as a counter for connections... but for simultaneous threads in that state. Also you can have active 200 threads .. but a few in SERVER_BUSY state.

I recommend you test (if you didn't ) it with the range of value i said here.



On Thu, Jul 7, 2011 at 12:24 AM, Christian Folini <christian.folini@time-machine.ch> wrote:
Hi Ryan,

Thank you for your extensive comments. I agree with almost all.
Let me just quickly say a few words about SecWriteStateLimit.

On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote:
> Did you see that Breno recently added SecWriteStateLimit as well to help
> mitigate Slow POST Attacks?
> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc
> e_Manual#SecWriteStateLimit

I have seen it immediately when it came out and it is a must-have
feature. But it is limited to single IP attackers and I am
not really afraid of those.

Otherwise SecWriteStateLimit interferes with HTTP Proxies. My
real world experience tells me that a legitimate Proxy can easily
have 50 active connections to my server. Not all of those
will be in SERVER_BUSY_WRITE but somehow SecWriteStateLimit
treats all connections equally and I would need some way to
tweak with that. Mod_qos has a notion of VIP connections
(via a list of predefined IP ranges). I do not really
think that this mechanism is very elegant, but whatever
you do with DDoS defense, it gets hairy very fast.
SecWriteStateLimit is elegant, but very limited.



It is not power that corrupts but fear. Fear of losing power corrupts
those who wield it and fear of the scourge of power corrupts those who
are subject to it.
-- Aung San Suu Kyi

All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
mod-security-developers mailing list
ModSecurity Services from Trustwave's SpiderLabs: