Protection Against Slowloris and HTTP POST DoS Attack
59 views
Skip to first unread message
Blason R
Apr 15, 2023, 11:18:12 PM4/15/23
to ModSecurity Core Rule Set project
Hi Team,
I see we have REQUEST-912-DOS-PROTECTION.conf and I added custom rule like this? I have two queries.
Is this the correct place to implement this rule?
And are we protected by default with Slowloris and HTTP Slow POST DOS attack?
I am on nginx/1.22.1 and CRS 3.3.4
TIA
Blason R
Ervin Hegedüs
Apr 16, 2023, 3:49:35 AM4/16/23
to Blason R, ModSecurity Core Rule Set project
Hi Blason,
On Sun, Apr 16, 2023 at 08:47:59AM +0530, Blason R wrote:
> Hi Team,
>
> I see we have REQUEST-912-DOS-PROTECTION.conf and I added custom rule like
> this?
sorry, what custom rule do you think about?
> I have two queries.
>
> Is this the correct place to implement this rule?
implement what?
> And are we protected by default with Slowloris and HTTP Slow POST DOS
> attack?
I'm afraid this set does not protect against Slowloris.
> I am on nginx/1.22.1 and CRS 3.3.4
REQUEST-912-DOS-PROTECTION.conf uses SecLang's "expirevar"
action, which is not supported by libmodsecurity3.
You should take a look to CRS plugin:
https://github.com/coreruleset/dos-protection-plugin-modsecurity-v3
a.
On Sun, Apr 16, 2023 at 08:47:59AM +0530, Blason R wrote:
> Hi Team,
>
> I see we have REQUEST-912-DOS-PROTECTION.conf and I added custom rule like
> this?
> I have two queries.
>
> Is this the correct place to implement this rule?
> And are we protected by default with Slowloris and HTTP Slow POST DOS
> attack?
> I am on nginx/1.22.1 and CRS 3.3.4
action, which is not supported by libmodsecurity3.
You should take a look to CRS plugin:
https://github.com/coreruleset/dos-protection-plugin-modsecurity-v3
a.
Blason R
Apr 16, 2023, 8:04:54 AM4/16/23
to Ervin Hegedüs, ModSecurity Core Rule Set project
I am sorry - Here are the rules
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
Blason R
Apr 16, 2023, 8:05:36 AM4/16/23
to Ervin Hegedüs, ModSecurity Core Rule Set project
Ooops - Please ignore that mail.
Here are the final rules
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'160420230822'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'160420230823'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'160420230823'"
Ervin Hegedüs
Apr 16, 2023, 3:15:50 PM4/16/23
to Blason R, ModSecurity Core Rule Set project
Hi,
On Sun, Apr 16, 2023 at 05:35:24PM +0530, Blason R wrote:
>
> Here are the final rules
> SecRule RESPONSE_STATUS "@streq 408" \
> "phase:5,\
> t:none,\
> nolog,\
> pass,\
> t:none,\
> log,\
> drop,\
it matches for the current IP, you increment a counter. (Note,
that - as I wrote - `expirevar` won't work in libmodsecurity3.
In the other rule, you check the counter value, and if it is
greater than 5, you drop the request.
Lack of expirevar in libmodsecurity3 will block the IP while you
restart Nginx.
From the other hand: I should protect the server against this
attack with fail2ban, not with ModSecurity.
But the theory can work IMHO.
a.
On Sun, Apr 16, 2023 at 05:35:24PM +0530, Blason R wrote:
>
> Here are the final rules
> SecRule RESPONSE_STATUS "@streq 408" \
> t:none,\
> nolog,\
> pass,\
> setvar:ip.slow_dos_counter=+1,\
> expirevar:ip.slow_dos_counter=60,\
> id:'160420230822'"
>
> SecRule IP:SLOW_DOS_COUNTER "@gt 5" \
> "phase:1,\
> expirevar:ip.slow_dos_counter=60,\
> id:'160420230822'"
>
> SecRule IP:SLOW_DOS_COUNTER "@gt 5" \
> t:none,\
> log,\
> drop,\
> msg:'Client Connection Dropped due to high number of slow DoS alerts',\
> id:'160420230823'"
If I'm correctly, you check the response status for 408, and if
> id:'160420230823'"
it matches for the current IP, you increment a counter. (Note,
that - as I wrote - `expirevar` won't work in libmodsecurity3.
In the other rule, you check the counter value, and if it is
greater than 5, you drop the request.
Lack of expirevar in libmodsecurity3 will block the IP while you
restart Nginx.
From the other hand: I should protect the server against this
attack with fail2ban, not with ModSecurity.
But the theory can work IMHO.
a.
Blason R
Apr 16, 2023, 8:40:10 PM4/16/23
to Ervin Hegedüs, ModSecurity Core Rule Set project
Fail2ban - Hmm that's interesting. I am keen to know the regex for slowloris.
Ervin Hegedüs
Apr 17, 2023, 3:22:13 AM4/17/23
to Blason R, ModSecurity Core Rule Set project
Hi,
On Mon, Apr 17, 2023 at 06:09:56AM +0530, Blason R wrote:
> Fail2ban - Hmm that's interesting. I am keen to know the regex for
> slowloris.
I'm not sure you have to reinvent the weel :)
https://www.bullten.com/knowledgebase/62/Mitigating-Layer7-HTTP-Flood-with-NginxplusFail2ban.html
a.
On Mon, Apr 17, 2023 at 06:09:56AM +0530, Blason R wrote:
> Fail2ban - Hmm that's interesting. I am keen to know the regex for
> slowloris.
https://www.bullten.com/knowledgebase/62/Mitigating-Layer7-HTTP-Flood-with-NginxplusFail2ban.html
a.
Reply all
Reply to author
Forward
0 new messages