|
From: Christian F. <chr...@ti...> - 2011-07-07 05:25:01
|
Hi Ryan, Thank you for your extensive comments. I agree with almost all. Let me just quickly say a few words about SecWriteStateLimit. On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote: > Did you see that Breno recently added SecWriteStateLimit as well to help > mitigate Slow POST Attacks? > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc > e_Manual#SecWriteStateLimit I have seen it immediately when it came out and it is a must-have feature. But it is limited to single IP attackers and I am not really afraid of those. Otherwise SecWriteStateLimit interferes with HTTP Proxies. My real world experience tells me that a legitimate Proxy can easily have 50 active connections to my server. Not all of those will be in SERVER_BUSY_WRITE but somehow SecWriteStateLimit treats all connections equally and I would need some way to tweak with that. Mod_qos has a notion of VIP connections (via a list of predefined IP ranges). I do not really think that this mechanism is very elegant, but whatever you do with DDoS defense, it gets hairy very fast. SecWriteStateLimit is elegant, but very limited. Best, Christian -- It is not power that corrupts but fear. Fear of losing power corrupts those who wield it and fear of the scourge of power corrupts those who are subject to it. -- Aung San Suu Kyi |
