|
From: Breno S. <bre...@gm...> - 2011-07-07 14:31:52
|
Hi Christian, Did you try to SecWriteStateLimit ? I think we can use a value like 150-250 and detect the attacks and maybe you will not see FPs. When you say "active connections" if i understand well the term you are using ... it is a established connections right ? But it is not necessary a simultaneous SERVER_BUSY threads. So don't think in SecWriteStateLimit as a counter for connections... but for simultaneous threads in that state. Also you can have active 200 threads .. but a few in SERVER_BUSY state. I recommend you test (if you didn't ) it with the range of value i said here. Thanks Breno On Thu, Jul 7, 2011 at 12:24 AM, Christian Folini < chr...@ti...> wrote: > Hi Ryan, > > Thank you for your extensive comments. I agree with almost all. > Let me just quickly say a few words about SecWriteStateLimit. > > On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote: > > Did you see that Breno recently added SecWriteStateLimit as well to help > > mitigate Slow POST Attacks? > > > http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc > > e_Manual#SecWriteStateLimit > > I have seen it immediately when it came out and it is a must-have > feature. But it is limited to single IP attackers and I am > not really afraid of those. > > Otherwise SecWriteStateLimit interferes with HTTP Proxies. My > real world experience tells me that a legitimate Proxy can easily > have 50 active connections to my server. Not all of those > will be in SERVER_BUSY_WRITE but somehow SecWriteStateLimit > treats all connections equally and I would need some way to > tweak with that. Mod_qos has a notion of VIP connections > (via a list of predefined IP ranges). I do not really > think that this mechanism is very elegant, but whatever > you do with DDoS defense, it gets hairy very fast. > SecWriteStateLimit is elegant, but very limited. > > Best, > > Christian > > > -- > It is not power that corrupts but fear. Fear of losing power corrupts > those who wield it and fear of the scourge of power corrupts those who > are subject to it. > -- Aung San Suu Kyi > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |
