Re: [mod-security-users] Rate Limiting Apache: Units associated with "burst_rate_limit" ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Thanks for the reply, but I’m actually just wanting to protect a small portion of the site.  Almost all of the site can and should run without restrictions, except for some PHP scripts that (if hit repeatedly) cause performance issues.

When I looked into mod_evasive, you didn’t seem to be able to nominate a location or location(s) for which you could only apply limits to.

In other words, I want to wrap it into a Location – something along the lines of the following:

<LocationMatch "^/some/URL/that/needs/rate/limiting.php.*">
  SecRule REQUEST_HEADERS:X-Forwarded-For "@unconditionalMatch" "phase:2,initcol:ip=%{MATCHED_VAR},pass,nolog,id:100"
  SecRule IP:ACCESS_COUNT "@gt XX" "phase:2,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:102"
…
</LocationMatch>

With that in mind – does anyone know how the “@gt XX” “burst rate” for mod_security is calculated ?  In particular, how long before the burst counter gets reset etc ?

Thanks,

Patrick

From: Brent Clark <bre...@gm...>
Date: Friday, 11 March 2022 at 8:42 PM
To: mod...@li... <mod...@li...>
Subject: Re: [mod-security-users] Rate Limiting Apache: Units associated with "burst_rate_limit" ?

Hiya

If you want to look to some type of rate limiting.?
Rather look to Apaches mod_evasive module.

Mod_evasive monitors incoming requests for suspicious activity from one IP, such as:

    Several requests for the same page in one second.
    More than 50 simultaneous requests per second.
    Requests made while the IP is temporarily blacklisted.

The module sends a 403 error if any of these things happen.

HTH
Regards
Brent

On 2022/03/11 05:59, Patrick Rynhart wrote:
Hi all,

I’m wanting to introduce IP based rate limiting protection to our Apache config, and am basing my config off this Gist:

https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Fjosnidhin%2F91d1ea9cd71fde386c27a9228476834e&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lu%2BO39925FXybkSHLv%2F2HTFdPpxrJwjJAxaQJMJI1nk%3D&reserved=0>

I’m wanting to understand the line:

SecRule IP:ACCESS_COUNT "@gt {{ burst_rate_limit }}" "phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:102"

In particular what are the units associated with burst_rate_limit ?  What does it mean if you set this variable to a value like 100 ?  (Does this correspond to a rate of 100 per minute ?  If not, what does it correspond to ?)

Thanks,

Patrick

_______________________________________________

mod-security-users mailing list

mod...@li...<mailto:mod...@li...>

https://lists.sourceforge.net/lists/listinfo/mod-security-users<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sNHqrh149u%2B7FCSs7h9F6BW59GAHoe%2F%2BNuIBQ5bEDqw%3D&reserved=0>

Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

http://www.modsecurity.org/projects/commercial/rules/<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Iq6NueQhU%2Bc9elqjLZ5XmgwS3ea5qAt%2BELslo4yE4UQ%3D&reserved=0>

http://www.modsecurity.org/projects/commercial/support/<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1f1yh%2FWlALfLfRMVHsSdJF1GBBx2TE7g0TwaLXMmoaY%3D&reserved=0>