Re: [mod-security-users] How to limit access rate by header?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466


Am 05.12.18 um 16:57 schrieb Luciano Guillermo Fantuzzi:
> First of all, I'm new here so I'm not sure this is the right place for
> asking for help (free modsec version). If it's not, I'll really
> appreciate it if you can tell me where should I go.
> 
> I'm trying to limit hit rate by:
> 
> 1. Request's header (like "facebookexternalhit").
> 2. (All hits to non static resources)
> 
> And then return a friendly "429 Too Many Requests" and "Retry-After: 3"
> (seconds).
> I know I can read a file of headers like:
> 
> SecRule REQUEST_HEADERS:User-Agent "@pmFromFile ratelimit-bots.txt"
> 
> But I'm getting trouble building the entire rule.
> 
> Any help would be really appreciated. Thank you!

this a non-iusse

normally you have rate-limits per IP in place and they should not be
within the application layer at all and in the best case not even on the
same machine

that below is from a firewall-vm on a complete /24 network before any
packet reaches a server at all, and for the individual servers are
simimlar rules with lower values per 2 seconds in place

when the request reachs the webserver damage is long done and if no
damage is done you are wasting expensive ressources with the rules

Chain INBOUND (2 references)
 pkts bytes target     prot opt in     out     source
destination
 1914  183K IPST_ALL   all  --  *      *       0.0.0.0/0
0.0.0.0/0            recent: UPDATE seconds: 2 hit_count: 250 TTL-Match
name: limit_all_global side: source mask: 255.255.255.255
 149K   15M DROP_ALL   all  --  *      *       0.0.0.0/0
0.0.0.0/0            recent: UPDATE seconds: 2 reap hit_count: 150
TTL-Match name: limit_all_global side: source mask: 255.255.255.255