Re: [mod-security-users] Working Around Race Conditions in Persistent Storage
Brought to you by:
victorhora,
zimmerletw
From: Reindl H. <h.r...@th...> - 2016-09-08 19:27:18
|
Am 08.09.2016 um 20:47 schrieb Robert Paprocki: > Also, frankly using Apache as a DoS mitigation vector feels like shoving > a square peg into a round hole. Writing complex rulesets to rate limit > certain request patterns seems much better served by a downstream proxy > than the app server itself (and at this point, we're starting to get > into "move the WAF away from the app server" territory); indeed, using > Nginx as a simple proxy with libmodsec to monitor this traffic would > likely be a much more performant solution. Alternatives might also > include using something like OpenResty to provide flexible scripting > options for login traffic analysis in the context of a downstream > reverse proxy, without being locked in directly to ModSecurity's syntax > and environment (but still being able to leverage libmodsecurity if > desired) the idea protect a application from DOS attacks by some code inside the attacked application is simply a pervert one - is, was and ever will be for most type sof DOS attacks iptables on the host itself is much better (if you can't or don#t want have some layer *before* the target machine at all) |