Re: [mod-security-users] DDOS on the appl level, timeouts and blacklisting
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] DDOS on the appl level, timeouts and blacklisting
|
From: Ivan R. <iva...@gm...> - 2006-08-23 20:55:45
|
On 8/21/06, Christian Folini <chr...@ti...> wrote:
> Hi there,
>
> There have been a couple of meetings regarding ddos threats
> against our ssl sites. So far no attack occurred, but we trying
> to be prepared.
Hi Christian,
I have thought a lot about this subject. Unfortunately I have little
time to respond in depth right now but I promise to follow up when I
get back in two weeks' time.
Ryan has already provided a very good answer. httpd-guardian should
work but you need to put some effort to install it.
ModSecurity 2 can actually track request rate per, well, anything, but
you are likely to want to look at the request rate per IP address. It
works something like this (not tested):
# initialise IP tracking, then update variable to force the collection
# to be updated on disk (ModSecurity only updates data when it changes.)
SecAction initcol:ip=%{REMOTE_ADDR},setvar:ip.dummy=1,nolog,pass
Once the above line executes the variable IP.UPDATE_RATE should
contain the number of updates (request) per minute.
The only aspect of the above configuration I haven't tested is speed.
At the moment ModSecurity uses a SDBM database to track persistent
data. It is probably going to be fast but not as fast as an in-memory
solution. But that's just an implementation detail, I expect an
improved (faster) persistent storage mechanism to be added reasonably
soon.
Also, I am happy to add a few variables to track the time elapsed
since the connection was created, and also to track the speed at which
the data is being received. E.g. if someone is sending data very
slowly he's probably trying to DoS the server.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
|
