I tried to follow the advice given at
  http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
which mentions SecReadStateLimit.

If using this directive is discouraged why have it in the first place ?

Cheers,
  Thomas


On Tue, Sep 17, 2013 at 4:58 PM, Reindl Harald <h.reindl@thelounge.net> wrote:

Am 17.09.2013 16:44, schrieb Thomas Eckert:
> mod_security 2.7.3
> apache 2.4.4
>
> Trying to get some SlowHTTP defenses up and running using mod_security but SecReadStateLimit is giving me a hard
> time. It reports
>   ModSecurity: Access denied with code 400. Too many threads [1024] of 15 allowed in READ state from 127.0.0.1 -
> Possible DoS Consumption Attack
> even though the only connection existing is my access of mod_status. I cannot see those 1024 threads it keeps on
> complaining about using ps.
>
> Is that behaviour known of?

no idea *but* use iptables for such things instead defend them in
the application layer - this is a plain wrong usage of layered
security - waht you want is to protect the application layer
and not fight inside the application-layer with attacks

iptables -A INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above 50 -m limit --limit 100/h -j LOG --log-prefix "Firewall Slowloris: "
iptables -A INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above 50 -j DROP


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/