Re: [Mod-security-developers] Advanced Slow DoS Mitigation

[Christian F. <chr...@ti...>]

Hi there,

On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote:
> Great preso and really highlights the threat.  I was wondering what
> percentage of WikiLeaks DoS attacks were utilizing Slowloris-type
> techniques.

Me2. ;)

To be honest there was too much noise to do any sort of measurements.
We have seen a lot of things, also a lot of vanilla slowloris,
but we also must have missed a lot of other interesting attacks.

> Specifically, phase:1 was moved by Ivan awhile ago to be the same as
> phase:2 (instead of Apache post-read-request) due to many users wanting to
> use phase:1 rules inside Apache scope directives like <Location>.  I
> personally do not agree with this change and we are reviewing a potential
> change back.

I bumped into the old phase:1 / Location issue before so I understand
the motivation. But I thought it would have been the better
countermeasure to have apache refuse to start with a phase:1 rule
inside a location.

> Regardless - I believe that we should consider a "phase:0" option that
> would essentially work at the Apache Filter level hook.  So, this would
> not be parsed like the other variables but could give basic access to src
> IP data and the entire request payload as perhaps a new variable -
> THE_REQUEST.

That sounds nice.

> The main issue that I see with a Filter level hook is that mod_uniqueid is
> not yet available and that is used by ModSecurity for proper logging.

That does not sound very nice, though.

Was not there a discussion on the Apache ML to hand over mod_uniqueid
(functionality) to ModSecurity? I think that would be wrong, but maybe
it is possible to introduce a patch to have mod_uniqueid run at this
early hook too (and before phase:0).

Cheers,

Christian


-- 
If we could read the secret history of our enemies, we should find in
each man's life sorrow and suffering enough to disarm all hostility.
-- Henry Wadsworth Longfellow