I'm tring to mitigate slow read attack via SecWriteStateLimit and
My environment is varnish + apache with mod_rpaf to get real client IP.
slowhttptest -c 10 -B -u http://URL
The log contain:
[Mon Mar 12 17:19:05 2012] [warn] ModSecurity: Access denied with code
400. Too many threads  of 5 allowed in WRITE state from 82.85.Y.X -
Possible DoS Consumption Attack [Rejected]
[Mon Mar 12 17:19:08 2012] [warn] ModSecurity: Access denied with code
400. Too many threads  of 5 allowed in READ state from 127.0.0.1 -
Possible DoS Consumption Attack [Rejected
So: in write state the detected ip is fine, but with READ state is wrong.
I suppose that, detecting READ state, mod_rpaf operate too late, but I
don't know if there is a way to change this order.
Thanks a lot
Get latest updates about Open Source Projects, Conferences and News.