Protection Against Slowloris and HTTP POST DoS Attack

78 views
Skip to first unread message

Blason R

unread,
Apr 15, 2023, 11:18:12 PM4/15/23
to ModSecurity Core Rule Set project
Hi Team,

I see we have REQUEST-912-DOS-PROTECTION.conf and I added custom rule like this? I have two queries.

Is this the correct place to implement this rule?
And are we protected by default with Slowloris and HTTP Slow POST DOS attack?

I am on nginx/1.22.1 and CRS 3.3.4

TIA
Blason R

Ervin Hegedüs

unread,
Apr 16, 2023, 3:49:35 AM4/16/23
to Blason R, ModSecurity Core Rule Set project
Hi Blason,


On Sun, Apr 16, 2023 at 08:47:59AM +0530, Blason R wrote:
> Hi Team,
>
> I see we have REQUEST-912-DOS-PROTECTION.conf and I added custom rule like
> this?

sorry, what custom rule do you think about?

> I have two queries.
>
> Is this the correct place to implement this rule?

implement what?

> And are we protected by default with Slowloris and HTTP Slow POST DOS
> attack?

I'm afraid this set does not protect against Slowloris.

> I am on nginx/1.22.1 and CRS 3.3.4

REQUEST-912-DOS-PROTECTION.conf uses SecLang's "expirevar"
action, which is not supported by libmodsecurity3.

You should take a look to CRS plugin:

https://github.com/coreruleset/dos-protection-plugin-modsecurity-v3



a.

Blason R

unread,
Apr 16, 2023, 8:04:54 AM4/16/23
to Ervin Hegedüs, ModSecurity Core Rule Set project
I am sorry - Here are the rules

SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912017,phase:1,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"
SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 4" "id:912018,phase:2,pass,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"

Blason R

unread,
Apr 16, 2023, 8:05:36 AM4/16/23
to Ervin Hegedüs, ModSecurity Core Rule Set project
Ooops - Please ignore that mail.

Here are the final rules
SecRule RESPONSE_STATUS "@streq 408" "phase:5,t:none,nolog,pass, setvar:ip.slow_dos_counter=+1, expirevar:ip.slow_dos_counter=60, id:'160420230822'"
SecRule IP:SLOW_DOS_COUNTER "@gt 5" "phase:1,t:none,log,drop,msg:'Client Connection Dropped due to high number of slow DoS alerts', id:'160420230823'"

Ervin Hegedüs

unread,
Apr 16, 2023, 3:15:50 PM4/16/23
to Blason R, ModSecurity Core Rule Set project
Hi,

On Sun, Apr 16, 2023 at 05:35:24PM +0530, Blason R wrote:
>
> Here are the final rules
> SecRule RESPONSE_STATUS "@streq 408" \
> "phase:5,\
> t:none,\
> nolog,\
> pass,\
> setvar:ip.slow_dos_counter=+1,\
> expirevar:ip.slow_dos_counter=60,\
> id:'160420230822'"
>
> SecRule IP:SLOW_DOS_COUNTER "@gt 5" \
> "phase:1,\
> t:none,\
> log,\
> drop,\
> msg:'Client Connection Dropped due to high number of slow DoS alerts',\
> id:'160420230823'"

If I'm correctly, you check the response status for 408, and if
it matches for the current IP, you increment a counter. (Note,
that - as I wrote - `expirevar` won't work in libmodsecurity3.

In the other rule, you check the counter value, and if it is
greater than 5, you drop the request.

Lack of expirevar in libmodsecurity3 will block the IP while you
restart Nginx.

From the other hand: I should protect the server against this
attack with fail2ban, not with ModSecurity.

But the theory can work IMHO.



a.

Blason R

unread,
Apr 16, 2023, 8:40:10 PM4/16/23
to Ervin Hegedüs, ModSecurity Core Rule Set project
Fail2ban - Hmm that's interesting. I am keen to know the regex for slowloris.

Ervin Hegedüs

unread,
Apr 17, 2023, 3:22:13 AM4/17/23
to Blason R, ModSecurity Core Rule Set project
Hi,

On Mon, Apr 17, 2023 at 06:09:56AM +0530, Blason R wrote:
> Fail2ban - Hmm that's interesting. I am keen to know the regex for
> slowloris.


I'm not sure you have to reinvent the weel :)

https://www.bullten.com/knowledgebase/62/Mitigating-Layer7-HTTP-Flood-with-NginxplusFail2ban.html



a.

Reply all
Reply to author
Forward
0 new messages