Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Ryan Barnett <Ryan.Barnett <at> Breach.com>
Subject: Re: Throttling
Newsgroups: gmane.comp.apache.mod-security.user
Date: Wednesday 2nd May 2007 13:12:09 UTC (over 10 years ago)
Looks like Chris beat me again :)  

Just to show you, however, that there are many ways to implement this
collections here is another version.  The following ruleset will use
initcol to create a persistent collection based on the client's IP
address.  It will then start incrementing the "request_count" variable
on each request and will expire this same variable 24 hrs after the last
request.  It will then evaluate the request_count variable to see if it
is greater than or equal to 2000.  If it is, it sets a new variable -
ip.blocked.  The last rule will only check for the existence of
ip.blocked.  If it is set, it will deny the connection and then send a
redirect to the client to send them to a "friendly" page telling them
why they are blocked.  The 2nd rule in this ruleset is to allow clients
with ip.blocked set to get to this friendly page.

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR}, \
setvar:request_count=+1,expirevar:request_count=86400

SecRule REQUEST_URI "^/request_limit_exceeded\.html$" \
"log,allow,ctl:ruleEngine=off"

SecRule IP:REQUEST_COUNT "@ge 2000" \
"phase:1,pass,nolog,setvar:ip.blocked=1, \
expirevar:ip.blocked=3600"

SecRule IP:BLOCKED "@eq 1" "phase:1,deny,log, \
redirect:http://www.site.com/request_limist_exceeded.html"

-- 
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache
 
--------------
Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)
Learn More About the Breach Webinar Series:
http://www.breach.com/webinars.asp
--------------
 

> -----Original Message-----
> From: [email protected] [mailto:mod-
> [email protected]] On Behalf Of Christian
> Bockermann
> Sent: Wednesday, May 02, 2007 9:07 AM
> To: Russ Lavoie
> Cc: Mod Security
> Subject: Re: [mod-security-users] Throttling
> 
> You can do this using ModSecurity's collection-capabilities.
> First you initalize a collection wrt the ip-address
> 
> 	SecAction initcol:ip=%{REMOTE_ADDR},nolog
> 
> Now you have a collection called "IP" that you can use to save
> variables.
> The following rule will check if there exists a variable "count"
> within the
> ip-collection. If not, it will initialize such a variable to 0 and
tell
> ModSecurity to expire it after 1 hour (3600 seconds).
> 
> 	SecRule &IP:COUNT "@eq 0"
> "setvar:ip.count=0,expirevar:ip.count=3600"
> 
> Then you can "count" the accesses using this collection
> 
> 	SecAction setvar:ip.count=+1
> 
> For example within a certain location (then you need to add a "phase:
> 2" to
> the actions). This will increment the variable "count" within the
> collection
> IP (which is assiciated with the REMOTE_ADDR) by one.
> 
> You can then use this variable to block an IP:
> 
> 	SecRule IP:COUNT "@gt 2000" "deny,status:500"
> 
> Not the different cases when setting and querying
collection-variables.
> 
> 
> For a more bandwidth-oriented throttling you should probably have a
look
> at mod_throttle, which also supports IP-based throttling, IIRC.
> 
> Regards,
>     Chris
> 
> 
> Am 02.05.2007 um 14:47 schrieb Russ Lavoie:
> 
> > Is there a way inside modsecurity that can throttle IP addresses.
> > Meaning, IPs are only allowed 2,000 hits per day and then denied...
> >
> > I went through the reference manual and saw nothing there regarding
> > this.
> >
> > Thanks
> >
> >
----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > mod-security-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/mod-security-users
> 
> 
>
------------------------------------------------------------------------
-
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> mod-security-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/mod-security-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
 
CD: 3ms