[Owasp-modsecurity-core-rule-set] DoS Protection Problem
darknovanick at gmail.com
Mon Apr 29 17:49:44 UTC 2013
I've been setting up mod_security and enabled
the modsecurity_crs_11_dos_protection.conf rule. This is mod_security 2.6.8
and CRS version 2.2.5.
I have initialized the settings with:
This works and it is blocking some very aggressive bots the way it should.
But there is a problem. I have occasionally been getting lines like this in
Warning. Operator GE matched 2 at IP:dos_burst_counter. [file
[line "44"] [id "981049"] [msg "Potential Denial of Service (DoS) Attack
from 220.127.116.11 - # of Request Bursts: 3"]
This bot was actually bingbot. I am new to mod_security, but my
understanding of my settings is that it shouldn't block until a bot has
requested 300 pages in 60 seconds.
When I check the logs I see that IP 18.104.22.168 has requested 313 pages in
1 hour. In the 60 seconds before the DoS block happening, this IP only
requested 6 pages. This block obviously shouldn't be happening.
I am grossly misunderstanding something, or what can I do to fix this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-modsecurity-core-rule-set