Hi,
On Sun, Apr 16, 2023 at 05:35:24PM +0530, Blason R wrote:
>
> Here are the final rules
> SecRule RESPONSE_STATUS "@streq 408" \
> "phase:5,\
> t:none,\
> nolog,\
> pass,\
> setvar:ip.slow_dos_counter=+1,\
> expirevar:ip.slow_dos_counter=60,\
> id:'160420230822'"
>
> SecRule IP:SLOW_DOS_COUNTER "@gt 5" \
> "phase:1,\
> t:none,\
> log,\
> drop,\
> msg:'Client Connection Dropped due to high number of slow DoS alerts',\
> id:'160420230823'"
If I'm correctly, you check the response status for 408, and if
it matches for the current IP, you increment a counter. (Note,
that - as I wrote - `expirevar` won't work in libmodsecurity3.
In the other rule, you check the counter value, and if it is
greater than 5, you drop the request.
Lack of expirevar in libmodsecurity3 will block the IP while you
restart Nginx.
From the other hand: I should protect the server against this
attack with fail2ban, not with ModSecurity.
But the theory can work IMHO.
a.