is there any way to do it without using mod_remoteip?
I tried that rule, but couldn’t manage to get it working:

   SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,t:none,pass,nolog,capture,setvar:tx.client_ip=%{tx.1}"
SecRule &TX:CLIENT_IP "@eq 0" "phase:1,t:none,pass,nolog,setvar:tx.client_ip=%{remote_addr}"
SecRule &TX:CLIENT_IP "!@eq 0" "phase:1,t:none,pass,nolog,initcol:ip=%{tx.client_ip}"

any idea?

On Fri, Nov 22, 2013 at 9:18 PM, maoz zadok <> wrote:

Thank you Reindl,I may try it,
Thank you Ryan, I'm looking for alternatives for Akamai protection, Akamai protection module cost a lot.
Manly most of attacks on our site that get to the origin are loops of http request to dynamic content, loops of post request for comments, loops of http requests to cached content with deferent parameters that passing the cache and get to the origin.

On Fri, Nov 22, 2013 at 6:52 PM, Ryan Barnett <> wrote:
Do you have any examples of the type of traffic that want to block with these types of rules that the Akamai DDoS/WAF protections are not handling?  Ideally, this stuff should be handled at the "edge" of your network, which in this case extends to the Akamai platform.

Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: maoz zadok <>
Reply-To: "" <>
Date: Friday, November 22, 2013 11:28 AM
To: "" <>
Subject: [mod-security-users] DDOS attacks protection with X-forwarded-for

Hello all,

I fond the following rule for DDOS protection, I'd like to implement this rule but my website is behind chase servers (akamai services), any idea how can I use it with
 X-forwarded-for real client ip?

the rules I found from above source:

SecRuleEngine On

SecAuditEngine RelevantOnly
SecAuditLogType Serial
SecAuditLog logs/mod_security.log

# a folder where mod_security will store data variables
SecDataDir logs/mod_security-data

# ignore requests from localhost or some other IP
SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,nolog,allow"

# for all non static urls count requests per second per ip
# (increase var requests by one, expires in 1 second)
SecRule REQUEST_BASENAME "!(\.avi$|\.bmp$|\.css$|\.doc$|\.flv$|\.gif$|\

# if there where more than 5 requests per second for this IP
# set var block to 1 (expires in 5 seconds) and increase var blocks by one (expires in an hour)
SecRule ip:requests "@eq 5" "phase:1,pass,nolog,setvar:ip.block=1,expirevar:ip.block=5,setvar:ip.blocks=+1,expirevar:ip.blocks=3600"

# if user was blocked more than 5 times (var blocks>5), log and return http 403
SecRule ip:blocks "@ge 5" "phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

# if user is blocked (var block=1), log and return http 403
SecRule ip:block "@eq 1" "phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"

# 403 is some static page or message
ErrorDocument 403 "<center><h2>take it easy yo!"

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: