Re: [mod-security-users] DDOS attacks protection with X-forwarded-for
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] DDOS attacks protection with X-forwarded-for
|
From: maoz z. <ma...@gm...> - 2013-11-24 19:24:29
|
is there any way to do it without using mod_remoteip?
I tried that rule, but couldn’t manage to get it working:
SecRule REQUEST_HEADERS:x-forwarded-for
"^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
"phase:1,t:none,pass,nolog,capture,setvar:tx.client_ip=%{tx.1}"
SecRule &TX:CLIENT_IP "@eq 0"
"phase:1,t:none,pass,nolog,setvar:tx.client_ip=%{remote_addr}"
SecRule &TX:CLIENT_IP "!@eq 0"
"phase:1,t:none,pass,nolog,initcol:ip=%{tx.client_ip}"
any idea?
On Fri, Nov 22, 2013 at 9:18 PM, maoz zadok <ma...@gm...> wrote:
>
> Thank you Reindl,I may try it,
> Thank you Ryan, I'm looking for alternatives for Akamai protection,
> Akamai protection module cost a lot.
> Manly most of attacks on our site that get to the origin are loops of http
> request to dynamic content, loops of post request for comments, loops of
> http requests to cached content with deferent parameters that passing the
> cache and get to the origin.
>
>
>
>
>
> On Fri, Nov 22, 2013 at 6:52 PM, Ryan Barnett <RBa...@tr...>wrote:
>
>> Do you have any examples of the type of traffic that want to block
>> with these types of rules that the Akamai DDoS/WAF protections are not
>> handling? Ideally, this stuff should be handled at the "edge" of your
>> network, which in this case extends to the Akamai platform.
>>
>> --
>> Ryan Barnett
>> Trustwave SpiderLabs
>> ModSecurity Project Leader
>> OWASP ModSecurity CRS Project Leader
>>
>>
>> From: maoz zadok <ma...@gm...>
>> Reply-To: "mod...@li..." <
>> mod...@li...>
>> Date: Friday, November 22, 2013 11:28 AM
>> To: "mod...@li..." <
>> mod...@li...>
>> Subject: [mod-security-users] DDOS attacks protection with
>> X-forwarded-for
>>
>> Hello all,
>>
>> I fond the following rule for DDOS protection, I'd like to implement
>> this rule but my website is behind chase servers (akamai services), any
>> idea how can I use it with
>> X-forwarded-for real client ip?
>>
>>
>> http://blog.cherouvim.com/simple-dos-protection-with-mod_security/
>>
>> the rules I found from above source:
>>
>>
>>
>>
>> SecRuleEngine On
>>
>> SecAuditEngine RelevantOnly
>> SecAuditLogType Serial
>> SecAuditLog logs/mod_security.log
>>
>> # a folder where mod_security will store data variables
>> SecDataDir logs/mod_security-data
>>
>> # ignore requests from localhost or some other IP
>> SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,nolog,allow"
>>
>> # for all non static urls count requests per second per ip
>> # (increase var requests by one, expires in 1 second)
>> SecRule REQUEST_BASENAME "!(\.avi$|\.bmp$|\.css$|\.doc$|\.flv$|\.gif$|\
>> \.htm$|\.html$|\.ico$|\.jpg$|\.js$|\.mp3$|\
>> \.mpeg$|\.pdf$|\.png$|\.pps$|\.ppt$|\.swf$|\
>> \.txt$|\.wmv$|\.xls$|\.xml$|\.zip$)"\
>> "phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},setvar:ip.requests=+1,expirevar:ip.requests=1"
>>
>> # if there where more than 5 requests per second for this IP
>> # set var block to 1 (expires in 5 seconds) and increase var blocks by one (expires in an hour)
>> SecRule ip:requests "@eq 5" "phase:1,pass,nolog,setvar:ip.block=1,expirevar:ip.block=5,setvar:ip.blocks=+1,expirevar:ip.blocks=3600"
>>
>> # if user was blocked more than 5 times (var blocks>5), log and return http 403
>> SecRule ip:blocks "@ge 5" "phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"
>>
>> # if user is blocked (var block=1), log and return http 403
>> SecRule ip:block "@eq 1" "phase:1,deny,log,logdata:'req/sec: %{ip.requests}, blocks: %{ip.blocks}',status:403"
>>
>> # 403 is some static page or message
>> ErrorDocument 403 "<center><h2>take it easy yo!"
>>
>>
>>
>> ------------------------------
>>
>> This transmission may contain information that is privileged,
>> confidential, and/or exempt from disclosure under applicable law. If you
>> are not the intended recipient, you are hereby notified that any
>> disclosure, copying, distribution, or use of the information contained
>> herein (including any reliance thereon) is strictly prohibited. If you
>> received this transmission in error, please immediately contact the sender
>> and destroy the material in its entirety, whether in electronic or hard
>> copy format.
>>
>>
>> ------------------------------------------------------------------------------
>> Shape the Mobile Experience: Free Subscription
>> Software experts and developers: Be at the forefront of tech innovation.
>> Intel(R) Software Adrenaline delivers strategic insight and game-changing
>> conversations that shape the rapidly evolving mobile landscape. Sign up
>> now.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>>
>
|
