Re: [mod-security-users] Re: HTTPD Dos

[Ivan R. <iv...@we...>]

> I have been getting attacks with over 1000 per second requests like this:
> 
> default.domain 141.150.49.213 - - [04/Nov/2004:09:30:52 +0000] "OPTIONS /
> HTTP/1.1" 403 266 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" (-)
> 
> They seem to have stopped before I did anything about them, but I was
> looking at mod_dosevasive available here:
> 
> http://www.nuclearelephant.com/projects/dosevasive/
> 
> It doesn't look like its been developed in over a year (perhaps it doesn't
> need it?) but it might be useful. I wonder if there is any case for
> integrating it with mod_security?
> 
> Another approach in this case will be just to block OPTIONS requests, but
> other DOS attacks might not use this request method.

  I don't think you would benefit from blocking such attacks on the
  web server level. An OPTIONS request is handled quickly anyway.
  Handling it differently would not increase performance or slow down
  the attack. Blocking on the web server would help if the target of
  the attack is a script that consumes a lot of server resources, for
  example a script that performs intensive database operations.

  But, in general, I think the only feasible DoS defence is
  with a firewall, on the network level. My idea about DoS defence
  is to log relevant events to the error log, and then use a parallel
  process (either in real-time or started from cron every couple of
  minutes) to examine what is happening and configure firewall
  accordingly.

  As far as I am aware mod_dosevasive does not need to develop
  further if the general concept it uses is going to stay. The only
  thing I don't like about it is that it doesn't share information
  about attacks between processes. So every Apache child needs to
  activate its own defences.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]