I tried to follow the advice given at
which mentions SecReadStateLimit.

If using this directive is discouraged why have it in the first place ?


On Tue, Sep 17, 2013 at 4:58 PM, Reindl Harald <h.reindl@thelounge.net> wrote:

Am 17.09.2013 16:44, schrieb Thomas Eckert:
> mod_security 2.7.3
> apache 2.4.4
> Trying to get some SlowHTTP defenses up and running using mod_security but SecReadStateLimit is giving me a hard
> time. It reports
>   ModSecurity: Access denied with code 400. Too many threads [1024] of 15 allowed in READ state from -
> Possible DoS Consumption Attack
> even though the only connection existing is my access of mod_status. I cannot see those 1024 threads it keeps on
> complaining about using ps.
> Is that behaviour known of?

no idea *but* use iptables for such things instead defend them in
the application layer - this is a plain wrong usage of layered
security - waht you want is to protect the application layer
and not fight inside the application-layer with attacks

iptables -A INPUT -p tcp -i eth0 ! -s -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above 50 -m limit --limit 100/h -j LOG --log-prefix "Firewall Slowloris: "
iptables -A INPUT -p tcp -i eth0 ! -s -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above 50 -j DROP

LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: