Re: [mod-security-users] Rate Limiting Apache: Units associated with "burst_rate_limit" ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Patrick

I’m doing exactly this for a small portion of a website which to prevent
aggressive scrapping of content. This config is working for me:

    <LocationMatch "^/protectedme$">

        SecAction "initcol:ip=%{REMOTE_ADDR},pass,nolog,id:100"

        SecAction "phase:5,deprecatevar:ip.hitcounter=1/5,pass,nolog,id:102"

        SecRule IP:HITCOUNTER "@gt 30"
"phase:2,pause:300,deny,status:429,skip:1,nolog,id:103"

        SecAction
"phase:2,pass,setvar:ip.hitcounter=+1,expirevar:ip.hitcounter=150,nolog,id:104"

    </LocationMatch>

This is a “leaky-bucket” type setup whereby you are allowed a burst of 30
requests and the rate reducses at 1 request every 5 seconds.

Kind regards,

*Jamie*
ib3 Limited
01732 449974

[image: logo]

--

*From:* Patrick Rynhart <P.R...@ma...>
*Sent:* 11 March 2022 07:58
*To:* mod...@li...
*Subject:* Re: [mod-security-users] Rate Limiting Apache: Units associated
with "burst_rate_limit" ?

Thanks for the reply, but I’m actually just wanting to protect a small
portion of the site.  Almost all of the site can and should run without
restrictions, except for some PHP scripts that (if hit repeatedly) cause
performance issues.

When I looked into mod_evasive, you didn’t seem to be able to nominate a
location or location(s) for which you could only apply limits to.

In other words, I want to wrap it into a Location – something along the
lines of the following:

<LocationMatch "^/some/URL/that/needs/rate/limiting.php.*">

  SecRule REQUEST_HEADERS:X-Forwarded-For "@unconditionalMatch"
"phase:2,initcol:ip=%{MATCHED_VAR},pass,nolog,id:100"

  SecRule IP:ACCESS_COUNT "@gt XX"
"phase:2,deny,status:429,setenv:RATELIMITED,skip:1,nolog,id:102"

…

</LocationMatch>

With that in mind – does anyone know how the “@gt XX” “burst rate” for
mod_security is calculated ?  In particular, how long before the burst
counter gets reset etc ?

Thanks,

Patrick

*From: *Brent Clark <bre...@gm...>
*Date: *Friday, 11 March 2022 at 8:42 PM
*To: *mod...@li... <
mod...@li...>
*Subject: *Re: [mod-security-users] Rate Limiting Apache: Units associated
with "burst_rate_limit" ?

Hiya

If you want to look to some type of rate limiting.?
Rather look to Apaches mod_evasive module.

Mod_evasive monitors incoming requests for suspicious activity from one IP,
such as:

    Several requests for the same page in one second.
    More than 50 simultaneous requests per second.
    Requests made while the IP is temporarily blacklisted.

The module sends a 403 error if any of these things happen.

HTH
Regards
Brent

On 2022/03/11 05:59, Patrick Rynhart wrote:

Hi all,

I’m wanting to introduce IP based rate limiting protection to our Apache
config, and am basing my config off this Gist:

https://gist.github.com/josnidhin/91d1ea9cd71fde386c27a9228476834e
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgist.github.com%2Fjosnidhin%2F91d1ea9cd71fde386c27a9228476834e&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lu%2BO39925FXybkSHLv%2F2HTFdPpxrJwjJAxaQJMJI1nk%3D&reserved=0>

I’m wanting to understand the line:

SecRule IP:ACCESS_COUNT "@gt {{ burst_rate_limit }}"
"phase:2,pause:300,deny,status:503,setenv:RATELIMITED,skip:1,nolog,id:102"

In particular what are the units associated with burst_rate_limit ?  What
does it mean if you set this variable to a value like 100 ?  (Does this
correspond to a rate of 100 per minute ?  If not, what does it correspond
to ?)

Thanks,

Patrick

_______________________________________________

mod-security-users mailing list

mod...@li...

https://lists.sourceforge.net/lists/listinfo/mod-security-users
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sNHqrh149u%2B7FCSs7h9F6BW59GAHoe%2F%2BNuIBQ5bEDqw%3D&reserved=0>

Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

http://www.modsecurity.org/projects/commercial/rules/
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Iq6NueQhU%2Bc9elqjLZ5XmgwS3ea5qAt%2BELslo4yE4UQ%3D&reserved=0>

http://www.modsecurity.org/projects/commercial/support/
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=04%7C01%7CP.Rynhart%40massey.ac.nz%7C0fac6166573140a450ab08da0332b551%7C388728e1bbd0437898dcf8682e644300%7C1%7C0%7C637825813584279072%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1f1yh%2FWlALfLfRMVHsSdJF1GBBx2TE7g0TwaLXMmoaY%3D&reserved=0>