FYI.  I'm adding a small check in SecWriteStateLimit to only check for POST connections (2.6.1-stable)

thanks

Breno

On Thu, Jul 7, 2011 at 9:31 AM, Breno Silva <breno.silva@gmail.com> wrote:
Hi Christian,

Did you try to SecWriteStateLimit ? I think we can use a value like 150-250 and detect the attacks and maybe you will not see FPs.

When you say "active connections"  if i understand well the term you are using ... it is a established  connections right ? But it is not necessary a simultaneous SERVER_BUSY threads.

So don't think in SecWriteStateLimit as a counter for connections... but for simultaneous threads in that state. Also you can have active 200 threads .. but a few in SERVER_BUSY state.

I recommend you test (if you didn't ) it with the range of value i said here.

Thanks

Breno


On Thu, Jul 7, 2011 at 12:24 AM, Christian Folini <christian.folini@time-machine.ch> wrote:
Hi Ryan,

Thank you for your extensive comments. I agree with almost all.
Let me just quickly say a few words about SecWriteStateLimit.

On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote:
> Did you see that Breno recently added SecWriteStateLimit as well to help
> mitigate Slow POST Attacks?
> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc
> e_Manual#SecWriteStateLimit

I have seen it immediately when it came out and it is a must-have
feature. But it is limited to single IP attackers and I am
not really afraid of those.

Otherwise SecWriteStateLimit interferes with HTTP Proxies. My
real world experience tells me that a legitimate Proxy can easily
have 50 active connections to my server. Not all of those
will be in SERVER_BUSY_WRITE but somehow SecWriteStateLimit
treats all connections equally and I would need some way to
tweak with that. Mod_qos has a notion of VIP connections
(via a list of predefined IP ranges). I do not really
think that this mechanism is very elegant, but whatever
you do with DDoS defense, it gets hairy very fast.
SecWriteStateLimit is elegant, but very limited.

Best,

Christian


--
It is not power that corrupts but fear. Fear of losing power corrupts
those who wield it and fear of the scourge of power corrupts those who
are subject to it.
-- Aung San Suu Kyi

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
mod-security-developers mailing list
mod-security-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php