Re: [Mod-security-developers] CRS DoS bugs/suggestions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] CRS DoS bugs/suggestions
|
From: Oleg G. <ole...@ya...> - 2011-06-17 17:58:22
|
No, I think it's a logical error. !ip.dos_counter is called only after
dos_counter reached the threshold. Now, think about the following scenario:
1. I've sent a couple of requests
2. Waited for more than dos_burst_time_slice seconds hoping that it will clear
the dos_counter
3. Send some requests again. All of them will be added to the dos_counter
becuase it didn't expire.
All that means that you can keep adding to dos_counter for a very long period
of time, which is much longer than dos_burst_time_slice and it defeats the
purpose of dos_burst_time_slice parameter in my view.
----- Original Message ----
> From: Ryan Barnett <RBa...@tr...>
> To: "ol...@gr..." <ol...@gr...>;
>"mod...@li..."
><mod...@li...>
> Sent: Fri, June 17, 2011 5:15:57 AM
> Subject: Re: [Mod-security-developers] CRS DoS bugs/suggestions
>
> Oleg,
> First of all, thank you for taking the time to test these rules further. The
>rule quality will only improve if the community takes the time to test them and
>report back the status.
>
> To your comments about the lack of "expirevar" actions, this should not be
>needed for the ip.dos_counter var as the last rule uses the
>"setvar:!ip.dos_counter" action to actually remove that variable if the
>operator matches. Can you please check your debug log during testing to verify
>if that action is not removing that variable? Perhaps there is a bug in
>removing the variable with the "!" symbol and using expirevar is more reliable.
>
> Also – what version of ModSecurity are you using?
>
> -Ryan
>
> From: Oleg Gryb <ole...@ya...<mailto:ole...@ya...>>
> Reply-To: "ol...@gr...<mailto:ol...@gr...>"
><ol...@gr...<mailto:ol...@gr...>>,
>"mod...@li...<mailto:mod...@li...>"
>
><mod...@li...<mailto:mod...@li...>>
>
> Date: Thu, 16 Jun 2011 11:32:11 -0500
> To:
>"mod...@li...<mailto:mod...@li...>"
>
><mod...@li...<mailto:mod...@li...>>
>
> Subject: [Mod-security-developers] CRS DoS bugs/suggestions
>
>
> I was testing DoS ruleset lately and found that there probably was a bug
>related to ip.dos_counter variable. The expiration time was not set for this
>var, as a result the counter persists longer than tx.dos_burst_time_slice. As a
>result, the history of hits is counted for a longer time period.
>
> I've added expiration time in two places and it started to work correctly
>after that. The changes are below:
>
> SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$"
>"phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
>
>
> ...
>
> SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}"
>"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
>
>
> I've also attached the sample of testing program. I think, we should have
>something like that to test all limits. There are only two tests implemented
>for now: for request size and DoS, but it should be easy to add more.
>
>
>
> ________________________________
> This transmission may contain information that is privileged, confidential,
>and/or exempt from disclosure under applicable law. If you are not the intended
>recipient, you are hereby notified that any disclosure, copying, distribution,
>or use of the information contained herein (including any reliance thereon) is
>STRICTLY PROHIBITED. If you received this transmission in error, please
>immediately contact the sender and destroy the material in its entirety,
>whether in electronic or hard copy format.
>
>
|
