Re: [Mod-security-developers] CRS DoS protection & x-forwarded-for header
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] CRS DoS protection & x-forwarded-for header
|
From: Ryan B. <RBa...@tr...> - 2011-05-05 14:46:29
|
FYI - updated the CRS 10 config file to add in this logic and uploaded it to SVN - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/modsecurity_crs_10_config.conf.example?revision=1772 # # -=[ Global and IP Collections ]=- # # Create both Global and IP collections for rules to use # There are some CRS rules that assume that these two collections # have already been initiated. # SecRule REQUEST_HEADERS:User-Agent "^(.*)$" "phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}" SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" "phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}" SecRule &TX:REAL_IP "!@eq 0" "phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}" SecRule &TX:REAL_IP "@eq 0" "phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}" The new rules will grab the first IP address listed in an X-Forwared-For header and use that for the IP collection key. If X-Forwarded-For is not present, then it will use REMOTE_ADDR. Thanks for the suggestion! -Ryan On 4/28/11 8:19 PM, "Oleg Gryb" <ole...@ya...<mailto:ole...@ya...>> wrote: I've just realized that there might be a problem with relying on that header: if an attacker intentionally sends different random IPs in there, DoS protection can be efficiently by-passed. In my case it should not happen, because an LB is the one who adds the header, but in general we should warn engineers about the possible exploit. Actually, even in LB case: if a request has already had the header, LB will create a new one with the existing value appended to the client IP: x-forwarded-for: real-client-ip, whatever-client-sent-to-LB It means that we would need to rely on the the first IP in the list, everything else should be considered as untrusted. Thanks, Oleg. ----- Original Message ---- From: Ryan Barnett <RBa...@tr...<mailto:RBa...@tr...>> To: Oleg Gryb <ol...@gr...<mailto:ol...@gr...>>; "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Cc: "owa...@li...<mailto:owa...@li...>" <owa...@li...<mailto:owa...@li...>> Sent: Thu, April 28, 2011 4:41:14 PM Subject: Re: [Mod-security-developers] CRS DoS protection & x-forwarded-for header Thanks for the updates Oleg! This will certainly be a useful update to not only the DoS rules buy any rules that will be based on the client IP. I will actually go back to check other uses of REMOTE_ADDR and see if we can swap it for tx.real_ip instead. I will add this to the CRS v2.2.0 that I am working on. For future reference - here is the OWASP CRS mail-list - https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- Ryan Barnett Senior Security Researcher Trustwave - SpiderLabs On 4/28/11 7:32 PM, "Oleg Gryb" <ole...@ya...<mailto:ole...@ya...>> wrote: >I'm not sure if I can discuss CRS rules here. If not, please let me know >what >the right place is. I want to suggest an improvement to DoS protection in >CRS >2.1.2. The problem is that enterprise applications usually run behind >load >balancers, so relying on remote_addr doesn't make too much sense, because >you'll >always have an LB's IP in there. > > >My improved rules (attached) check for x-forwarded-for header and if >it's >present, this IP will be used to initialize IP collection. If it's not >then the >old logic will be used. > >It would be great if we can include this improvement to the next CRS >release. > >Thanks, >Oleg. ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
