From: Thomas Eckert <thomas.r.w.eckert@gmail.com>
Reply-To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Date: Tuesday, September 17, 2013 11:20 AM
To: "mod-security-users@lists.sourceforge.net" <mod-security-users@lists.sourceforge.net>
Subject: Re: [mod-security-users] SecReadStateLimit shutting down server without hitting limit

which mentions SecReadStateLimit.

The problem is that mod_status creates many connections to loopback URI and it is exceeding the thresholds set by this directive.  This directive needs to have a whitelist capability so you can allow connection from 127.0.0.1 to bypass - 
https://www.modsecurity.org/tracker/browse/MODSEC-199



If using this directive is discouraged why have it in the first place ?

Reindl is talking about handling DoS blocking issues at a lower network level (IPTables) vs. using ModSecurity and not specifically about SecReadStateLimit.

-Ryan


Cheers,
  Thomas


On Tue, Sep 17, 2013 at 4:58 PM, Reindl Harald <h.reindl@thelounge.net> wrote:

Am 17.09.2013 16:44, schrieb Thomas Eckert:
> mod_security 2.7.3
> apache 2.4.4
>
> Trying to get some SlowHTTP defenses up and running using mod_security but SecReadStateLimit is giving me a hard
> time. It reports
>   ModSecurity: Access denied with code 400. Too many threads [1024] of 15 allowed in READ state from 127.0.0.1 -
> Possible DoS Consumption Attack
> even though the only connection existing is my access of mod_status. I cannot see those 1024 threads it keeps on
> complaining about using ps.
>
> Is that behaviour known of?

no idea *but* use iptables for such things instead defend them in
the application layer - this is a plain wrong usage of layered
security - waht you want is to protect the application layer
and not fight inside the application-layer with attacks

iptables -A INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above 50 -m limit --limit 100/h -j LOG --log-prefix "Firewall Slowloris: "
iptables -A INPUT -p tcp -i eth0 ! -s 192.168.196.0/24 -m multiport --destination-port 80,443 --syn -m connlimit
--connlimit-above 50 -j DROP


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ mod-security-users mailing list mod-security-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/