[Mod-security-developers] Advanced Slow DoS Mitigation
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] Advanced Slow DoS Mitigation
|
From: Christian F. <chr...@ti...> - 2011-07-05 18:42:30
|
Hi there, ModSecurity always had a few nice options to help with request delaying mitigation. The combination with mod_reqtimeout is a good strategy as explained by Ryan at http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html In May, I did a presentation on the defense against Request Delaying DDoS aka as Slow DoS or Slowloris type attacks. That Swiss Cyberstorm talk is now online at http://www.youtube.com/watch?v=svN49PIbcks Around 32:30, I mention some advanced ideas on how to identify attackers very easily. As you know, a POST request to /index.html is perfectly okay with Apache. You can prevent it with ModSecurity, but not immediately when the server receives the requestline. Ideally, you should be able to drop a request trying this immediately. I would like to write rules that trigger as soon as the request line has been received. A phase 0 somehow. This would also be handy to drop requests that try to upload files before the user has been authenticated. Apache does not mind large uploads from unauthenticated users until it has received the whole blob. Not even mod_reqtimeout is of big help if you need to allow big file uploads. Now I doubt that Apache allows for a phase 0 (I am not an apache developer and as you know not even a ModSecurity developer) as there seems to be no hook at that moment and if I get it right, the whole request record is not being prepared until post-read-request. But maybe I am wrong. So what do you guys think? Cheers, Christian -- I think IT projects are about supporting social systems - about communications between people and machines. They tend to fail due to cultural issues. -- Tim Berners-Lee |
