Re: [mod-security-users] Working Around Race Conditions in Persistent Storage
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Working Around Race Conditions in Persistent Storage
|
From: Reindl H. <h.r...@th...> - 2016-09-08 19:58:58
|
Am 08.09.2016 um 21:48 schrieb Barry Pollard:
>> the idea protect a application from DOS attacks by some code inside the attacked application is simply a pervert one - is, was and ever will be
>
> The idea of protecting the webserver itself from DoS attacks from within the webserver is indeed wrong.
>
> However the idea of protecting the application (which typically has a much lower DoS threshold) using the webserver that sits in front of it is not so crazy...
not really - i need to protect my server from accept more requests and
connections that it can handle, independent of the single application
playing around with some "dos prevention for the poor" inside the
application *will lower* that numbers by the added overhead
yes, you may have some applications in a mixed load which are more
problematic, but that won't change the problem bringing persistent
collections for rate-controls insidne the application layer will have a
negtaive impact for the whole server
___________________________
most of your problems are solved by rules like below on the application
host *combined* with a firewall in front with higher bounds to keep away
real attacks from the server at all
0 0 DROP tcp -- !lo * 0.0.0.0/0
0.0.0.0/0 ctstate NEW recent: UPDATE seconds: 2 hit_count:
100 name: DEFAULT side: source mask: 255.255.255.255
0 0 DROP tcp -- * * !192.168.196.0/24
0.0.0.0/0 tcp flags:0x17/0x02 #conn src/32 > 50
0 0 DROP tcp -- * * !192.168.196.0/24
0.0.0.0/0 tcp flags:0x17/0x02 #conn src/24 > 150
0 0 DROP tcp -- * * !192.168.196.0/24
0.0.0.0/0 tcp flags:0x17/0x02 #conn src/16 > 250
0 0 DROP tcp -- * * !192.168.196.0/24
0.0.0.0/0 tcp flags:0x17/0x02 #conn src/8 > 500
|
