Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Ryan Barnett <RBarnett <at> trustwave.com>
Subject: Re: DOS and DDOS rules
Newsgroups: gmane.comp.apache.mod-security.user
Date: Monday 13th February 2012 12:53:33 UTC (over 5 years ago)
From: Ebrahim Khalilzadeh
>
Date: Mon, 13 Feb 2012 06:36:08 -0600
To:
"[email protected]"
>
Subject: Re: [mod-security-users] DOS and DDOS rules

Dear Otto
     Hi,
     I checked mod_evasive. That is a good module for DOS/DDOS attacks,
Thanks. Adding new modules isn't a good solution   for our business. I need
a module like mod_security that integrates all firewall features in layer
7.
     I  Couldn't find any information about SecCollectionTimeout.

SecCollectionTimeout - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecCollectionTimeout

As for mod_evasive – one warning about its effectiveness.  The
DOSPageCount directive can be easily bypassed if the attacker does not use
HTTP keep-alives.  If the attacker forces Apache to initiate a new thread
for each request then this directive will never be reached.  The problem is
that mod_evasive does not use shared memory for this directive and it is
only relevant for the current connection.

On the flip-side, while ModSecurity doesn't suffer from this same technical
problem (the use of IP collections) it is not as performant as it could be.
 This is mainly due to the fact that the persistent collection data is kept
in memory unless it is updated and then it is swapped to disk.  When under
a DoS attacks, our rules are updating the collection data upon each request
to track bursts of traffic.  This means that is swapping for each request. 
One recommendation I would make for any ModSec install is to create a RAM
disk partition and then use it to specify SecDataDir - http://sourceforge.net/apps/mediawiki/mod-security/index.php?title=Reference_Manual#SecDataDir.
 This should help to cut down on the I/O when swapping data to persistent
collection files.

-Ryan



Regards,
Ebrahim



Otto Schlagmichtot wrote:
Hi,

perhaps is the option SecCollectionTimeout an alternative for you.

For DoS you also can use mod:_evasive ...

regards, Kai


________________________________
Von: Ebrahim Khalilzadeh
>
An:
[email protected]
Gesendet: 13:01 Mittwoch, 8.Februar 2012
Betreff: [mod-security-users] DOS and DDOS rules

Dear Users,
HI
I Have an experience with rule '981048'  for DOS protection. This rule uses
initcol directive for keeping ip information. This rule works correctly and
it can detect dos attacks, but when my server rps(request per second)
increases, mod security error logs increases. These error logs is because
of access to ip collection file and some deadlock access problems.
Is there a better rule for DOS and DDOS attacks? Is there a better solution
for keeping ip information(for example storing ip information in separate
files, one file for each ip)?

Best Regards,
Ebrahim

--


------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
mod-security-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



--


________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.


------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
mod-security-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
 
CD: 3ms