Re: [mod-security-users] issue with IP rate-limiting
Brought to you by:
victorhora,
zimmerletw
From: Gaurav A. <gau...@gm...> - 2016-08-05 10:50:43
|
Reindl, Need to get it work using mod-security only, as I have to block requests for specific URLs. Thanks, Gaurav On Fri, Aug 5, 2016 at 3:52 PM, Reindl Harald <h.r...@th...> wrote: > > > Am 05.08.2016 um 12:10 schrieb Gaurav Agarwal: > >> I am testing the following simple IP based rate-limiting custom rule - >> >> SecDataDir /tmp/ >> SecRule REQUEST_URI "/" "chain,id:'5',phase:1,deny,log,status:403" >> SecAction >> "initcol:IP=%{REMOTE_ADDR},setvar:IP.pagecount=+1,expirevar >> :IP.pagecount=60,chain" >> SecRule IP:PAGECOUNT "@gt 5" >> >> I thought that this rule will block the client when it sends more than 5 >> requests *over the period of 60 seconds.* >> >> However, it seems that every-time a request is received, the >> variable *__expire_pagecount* is being incremented by 60 seconds. So >> even if I am sending 1 request every minute, mod-security is blocking >> the client in *6th minute.* >> >> I know I am missing something fundamental ? >> > > don't do that in the attacked application itself, wrong layer > > iptables does a much better job here by limit requests per IP within as > example 2 seconds for a ton of reasons: > > * it don't consume httpd ressources > * it's earlier and faster > * it just DROP packages > * in case it hits a carrier-grade NAT the drop > results most of the time in a retry and so only > a small delay on the client side while the webserver > don't get overloaded > > ctstate NEW recent: UPDATE seconds: 2 hit_count: 100 name: DEFAULT side: > source mask: 255.255.255.255 > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |