Thread: [Mod-security-developers] CRS DoS bugs/suggestions
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers
|
From: Oleg G. <ole...@ya...> - 2011-06-16 16:32:17
Attachments:
dos-test.pl
|
I was testing DoS ruleset lately and found that there probably was a bug related to ip.dos_counter variable. The expiration time was not set for this var, as a result the counter persists longer than tx.dos_burst_time_slice. As a result, the history of hits is counted for a longer time period.
I've added expiration time in two places and it started to work correctly after that. The changes are below:
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
...
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
I've also attached the sample of testing program. I think, we should have something like that to test all limits. There are only two tests implemented for now: for request size and DoS, but it should be easy to add more.
|
|
From: Ryan B. <RBa...@tr...> - 2011-06-17 12:16:05
|
Oleg,
First of all, thank you for taking the time to test these rules further. The rule quality will only improve if the community takes the time to test them and report back the status.
To your comments about the lack of "expirevar" actions, this should not be needed for the ip.dos_counter var as the last rule uses the "setvar:!ip.dos_counter" action to actually remove that variable if the operator matches. Can you please check your debug log during testing to verify if that action is not removing that variable? Perhaps there is a bug in removing the variable with the "!" symbol and using expirevar is more reliable.
Also – what version of ModSecurity are you using?
-Ryan
From: Oleg Gryb <ole...@ya...<mailto:ole...@ya...>>
Reply-To: "ol...@gr...<mailto:ol...@gr...>" <ol...@gr...<mailto:ol...@gr...>>, "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Date: Thu, 16 Jun 2011 11:32:11 -0500
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: [Mod-security-developers] CRS DoS bugs/suggestions
I was testing DoS ruleset lately and found that there probably was a bug related to ip.dos_counter variable. The expiration time was not set for this var, as a result the counter persists longer than tx.dos_burst_time_slice. As a result, the history of hits is counted for a longer time period.
I've added expiration time in two places and it started to work correctly after that. The changes are below:
SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$" "phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
...
SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}" "phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
I've also attached the sample of testing program. I think, we should have something like that to test all limits. There are only two tests implemented for now: for request size and DoS, but it should be easy to add more.
________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
|
From: Oleg G. <ole...@ya...> - 2011-06-17 17:58:22
|
No, I think it's a logical error. !ip.dos_counter is called only after
dos_counter reached the threshold. Now, think about the following scenario:
1. I've sent a couple of requests
2. Waited for more than dos_burst_time_slice seconds hoping that it will clear
the dos_counter
3. Send some requests again. All of them will be added to the dos_counter
becuase it didn't expire.
All that means that you can keep adding to dos_counter for a very long period
of time, which is much longer than dos_burst_time_slice and it defeats the
purpose of dos_burst_time_slice parameter in my view.
----- Original Message ----
> From: Ryan Barnett <RBa...@tr...>
> To: "ol...@gr..." <ol...@gr...>;
>"mod...@li..."
><mod...@li...>
> Sent: Fri, June 17, 2011 5:15:57 AM
> Subject: Re: [Mod-security-developers] CRS DoS bugs/suggestions
>
> Oleg,
> First of all, thank you for taking the time to test these rules further. The
>rule quality will only improve if the community takes the time to test them and
>report back the status.
>
> To your comments about the lack of "expirevar" actions, this should not be
>needed for the ip.dos_counter var as the last rule uses the
>"setvar:!ip.dos_counter" action to actually remove that variable if the
>operator matches. Can you please check your debug log during testing to verify
>if that action is not removing that variable? Perhaps there is a bug in
>removing the variable with the "!" symbol and using expirevar is more reliable.
>
> Also – what version of ModSecurity are you using?
>
> -Ryan
>
> From: Oleg Gryb <ole...@ya...<mailto:ole...@ya...>>
> Reply-To: "ol...@gr...<mailto:ol...@gr...>"
><ol...@gr...<mailto:ol...@gr...>>,
>"mod...@li...<mailto:mod...@li...>"
>
><mod...@li...<mailto:mod...@li...>>
>
> Date: Thu, 16 Jun 2011 11:32:11 -0500
> To:
>"mod...@li...<mailto:mod...@li...>"
>
><mod...@li...<mailto:mod...@li...>>
>
> Subject: [Mod-security-developers] CRS DoS bugs/suggestions
>
>
> I was testing DoS ruleset lately and found that there probably was a bug
>related to ip.dos_counter variable. The expiration time was not set for this
>var, as a result the counter persists longer than tx.dos_burst_time_slice. As a
>result, the history of hits is counted for a longer time period.
>
> I've added expiration time in two places and it started to work correctly
>after that. The changes are below:
>
> SecRule REQUEST_BASENAME "!\.(jpe?g|png|gif|js|css|ico)$"
>"phase:5,t:none,nolog,pass,setvar:ip.dos_counter=+1,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
>
>
> ...
>
> SecRule IP:DOS_COUNTER "@ge %{tx.dos_counter_threshold}"
>"phase:5,t:none,nolog,pass,t:none,setvar:ip.dos_burst_counter=+1,expirevar:ip.dos_burst_counter=%{tx.dos_burst_time_slice},setvar:!ip.dos_counter,expirevar:ip.dos_counter=%{tx.dos_burst_time_slice}"
>
>
> I've also attached the sample of testing program. I think, we should have
>something like that to test all limits. There are only two tests implemented
>for now: for request size and DoS, but it should be easy to add more.
>
>
>
> ________________________________
> This transmission may contain information that is privileged, confidential,
>and/or exempt from disclosure under applicable law. If you are not the intended
>recipient, you are hereby notified that any disclosure, copying, distribution,
>or use of the information contained herein (including any reliance thereon) is
>STRICTLY PROHIBITED. If you received this transmission in error, please
>immediately contact the sender and destroy the material in its entirety,
>whether in electronic or hard copy format.
>
>
|
Thanks for helping keep SourceForge clean.
X