Hi Christian,
Did you try to SecWriteStateLimit ? I think we can use a value like 150-250
and detect the attacks and maybe you will not see FPs.
When you say "active connections" if i understand well the term you are
using ... it is a established connections right ? But it is not necessary a
simultaneous SERVER_BUSY threads.
So don't think in SecWriteStateLimit as a counter for connections... but for
simultaneous threads in that state. Also you can have active 200 threads ..
but a few in SERVER_BUSY state.
I recommend you test (if you didn't ) it with the range of value i said
here.
Thanks
Breno
On Thu, Jul 7, 2011 at 12:24 AM, Christian Folini <
chr...@ti...> wrote:
> Hi Ryan,
>
> Thank you for your extensive comments. I agree with almost all.
> Let me just quickly say a few words about SecWriteStateLimit.
>
> On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote:
> > Did you see that Breno recently added SecWriteStateLimit as well to help
> > mitigate Slow POST Attacks?
> >
> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc
> > e_Manual#SecWriteStateLimit
>
> I have seen it immediately when it came out and it is a must-have
> feature. But it is limited to single IP attackers and I am
> not really afraid of those.
>
> Otherwise SecWriteStateLimit interferes with HTTP Proxies. My
> real world experience tells me that a legitimate Proxy can easily
> have 50 active connections to my server. Not all of those
> will be in SERVER_BUSY_WRITE but somehow SecWriteStateLimit
> treats all connections equally and I would need some way to
> tweak with that. Mod_qos has a notion of VIP connections
> (via a list of predefined IP ranges). I do not really
> think that this mechanism is very elegant, but whatever
> you do with DDoS defense, it gets hairy very fast.
> SecWriteStateLimit is elegant, but very limited.
>
> Best,
>
> Christian
>
>
> --
> It is not power that corrupts but fear. Fear of losing power corrupts
> those who wield it and fear of the scourge of power corrupts those who
> are subject to it.
> -- Aung San Suu Kyi
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|