Re: [mod-security-users] DDOS on the appl level, timeouts and blacklisting
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] DDOS on the appl level, timeouts and blacklisting
|
From: Christian F. <chr...@ti...> - 2006-08-23 21:39:23
|
On Wed, Aug 23, 2006 at 04:17:21PM -0500, De Vries, Richard wrote: > What is everyone's opinion on mod_evasive, found here: > http://www.zdziarski.com/projects/mod_evasive/ ? Ryan has mentioned it in his message. It looks like an interesting tool when an attacker wants to eat your bandwidth and hammers you using http keepalive. But if he just tries to block your threads/processes, when mod_evasive can't help you. This is due to the lack of shared memory. As a consequence every process/thread remains isolated from the other ones and mod_evasive can't tell what's going on. regs, Christian > > -----Original Message----- > From: mod...@li... > [mailto:mod...@li...] On Behalf Of > Ivan Ristic > Sent: Wednesday, August 23, 2006 3:56 PM > To: Christian Folini > Cc: mod...@li... > Subject: Re: [mod-security-users] DDOS on the appl level,timeouts and > blacklisting > > On 8/21/06, Christian Folini <chr...@ti...> wrote: > > Hi there, > > > > There have been a couple of meetings regarding ddos threats against > > our ssl sites. So far no attack occurred, but we trying to be > > prepared. > > Hi Christian, > > I have thought a lot about this subject. Unfortunately I have little > time to respond in depth right now but I promise to follow up when I get > back in two weeks' time. > > Ryan has already provided a very good answer. httpd-guardian should work > but you need to put some effort to install it. > > ModSecurity 2 can actually track request rate per, well, anything, but > you are likely to want to look at the request rate per IP address. It > works something like this (not tested): > > # initialise IP tracking, then update variable to force the collection # > to be updated on disk (ModSecurity only updates data when it changes.) > SecAction initcol:ip=%{REMOTE_ADDR},setvar:ip.dummy=1,nolog,pass > > Once the above line executes the variable IP.UPDATE_RATE should contain > the number of updates (request) per minute. > > The only aspect of the above configuration I haven't tested is speed. > At the moment ModSecurity uses a SDBM database to track persistent data. > It is probably going to be fast but not as fast as an in-memory > solution. But that's just an implementation detail, I expect an improved > (faster) persistent storage mechanism to be added reasonably soon. > > Also, I am happy to add a few variables to track the time elapsed since > the connection was created, and also to track the speed at which the > data is being received. E.g. if someone is sending data very slowly he's > probably trying to DoS the server. > > -- > Ivan Ristic, Technical Director > Thinking Stone, http://www.thinkingstone.com > ModSecurity: Open source Web Application Firewall > > ------------------------------------------------------------------------ > - > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users |
