Re: [mod-security-users] anyone saw this dos-ish attack + how to block

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hugh Beaumont wrote:
> I've been getting a lot of lines like this in my logs:
> 
> - 200.39.103.224 - - [24/Jun/2005:02:45:22 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:23 -0400] "-" 408 - "-" "-"
> - 148.244.150.58 - - [24/Jun/2005:02:45:31 -0400] "-" 408 - "-" "-"
> - 168.212.79.8 - - [24/Jun/2005:02:45:58 -0400] "-" 408 - "-" "-"
> 
> Anyone know a quick mod_security method to block these. I hate to just ask without any
> research on my part but its causing some big problems on this particular server so I thought I
> would fire off a quick message in case anyone has saw this before and has a solution.

   How many such requests per minute do you get?

   You won't be able to use mod_security for this purpose. But you could
   use blacklist: http://www.apachesecurity.net/tools/ You'll only need
   to write a Perl script that watches the access log and counts the
   number of 408 responses per IP address. Be careful, though, timeouts
   can happen during normal operation as well.

 > but its causing some big problems on this particular server

   You should also look into reducing the timeout value of the server.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org