Re: [mod-security-users] Denial of Service Attacks
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Denial of Service Attacks
|
From: Ryan B. <RBa...@tr...> - 2011-05-02 13:38:28
|
One comment on mod_evasive as a lot of people mention it when discussing Apache DoS prevention items. Keep in mind that mod_evasive doesn't use shared memory. What do this mean in practical terms? This means that the enforcement thresholds you specify in the conf file are only applicable per Apache child thread. This means that the protections for mod_evasive can be easily circumvented if the attacker does not use HTTP keep-alives and instead forces the target Apache server to spawn new threads for each request. In this scenario – each Apache child thread will only ever see 1 http request and thus will never go over the mod_evasive limits. This is one of the main advantages of using ModSecurity's persistent storage mechanisms (IP collection for instance) - it is able to correlate data across all child threads. -Ryan From: David Guimaraes <sk...@gm...<mailto:sk...@gm...>> Date: Thu, 28 Apr 2011 20:32:25 -0500 To: "Abdullah, Ayub" <Ayu...@tt...<mailto:Ayu...@tt...>> Cc: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Denial of Service Attacks Have you tried using apache mod_evasion or mod_limitipconn? On Wed, Apr 27, 2011 at 11:34 AM, Abdullah, Ayub <Ayu...@tt...<mailto:Ayu...@tt...>> wrote: Good Morning, We are currently using Mod_security 2.5.13 /CRS 2.10 in our environment and we were under the impression that Denial of service attacks was a newly added feature that allows this functionality. Well we have been running into all sorts of problems getting this set up correctly. At the moment we have enabled xforwarding for on our proxy servers which gives us the ability to identify offending IPs that are attacking us. We would like defend against these denial of service attacks using mod_security and the httpd-guardian tool. >From what I have read and assuming httpdguardian is already configured, we only need to add one line to the Apache configuration to deploy it: SecGuardianLog |/path/to/httpd-guardian When I insert the above line it blocks all IPs to the site. How do I configure this to blacklist just the offending IP? ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php -- David Gomes Guimarães ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
