|
From: Breno S. <bre...@gm...> - 2011-07-07 15:17:09
|
FYI. I'm adding a small check in SecWriteStateLimit to only check for POST connections (2.6.1-stable) thanks Breno On Thu, Jul 7, 2011 at 9:31 AM, Breno Silva <bre...@gm...> wrote: > Hi Christian, > > Did you try to SecWriteStateLimit ? I think we can use a value like 150-250 > and detect the attacks and maybe you will not see FPs. > > When you say "active connections" if i understand well the term you are > using ... it is a established connections right ? But it is not necessary a > simultaneous SERVER_BUSY threads. > > So don't think in SecWriteStateLimit as a counter for connections... but > for simultaneous threads in that state. Also you can have active 200 threads > .. but a few in SERVER_BUSY state. > > I recommend you test (if you didn't ) it with the range of value i said > here. > > Thanks > > Breno > > > On Thu, Jul 7, 2011 at 12:24 AM, Christian Folini < > chr...@ti...> wrote: > >> Hi Ryan, >> >> Thank you for your extensive comments. I agree with almost all. >> Let me just quickly say a few words about SecWriteStateLimit. >> >> On Wed, Jul 06, 2011 at 07:42:50AM -0500, Ryan Barnett wrote: >> > Did you see that Breno recently added SecWriteStateLimit as well to help >> > mitigate Slow POST Attacks? >> > >> http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Referenc >> > e_Manual#SecWriteStateLimit >> >> I have seen it immediately when it came out and it is a must-have >> feature. But it is limited to single IP attackers and I am >> not really afraid of those. >> >> Otherwise SecWriteStateLimit interferes with HTTP Proxies. My >> real world experience tells me that a legitimate Proxy can easily >> have 50 active connections to my server. Not all of those >> will be in SERVER_BUSY_WRITE but somehow SecWriteStateLimit >> treats all connections equally and I would need some way to >> tweak with that. Mod_qos has a notion of VIP connections >> (via a list of predefined IP ranges). I do not really >> think that this mechanism is very elegant, but whatever >> you do with DDoS defense, it gets hairy very fast. >> SecWriteStateLimit is elegant, but very limited. >> >> Best, >> >> Christian >> >> >> -- >> It is not power that corrupts but fear. Fear of losing power corrupts >> those who wield it and fear of the scourge of power corrupts those who >> are subject to it. >> -- Aung San Suu Kyi >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php >> > > |
