[Owasp-modsecurity-core-rule-set] DoS Protection Problem

Nick darknovanick at gmail.com
Mon Apr 29 17:49:44 UTC 2013


Hello,

I've been setting up mod_security and enabled
the modsecurity_crs_11_dos_protection.conf rule. This is mod_security 2.6.8
and CRS version 2.2.5.

I have initialized the settings with:
SecAction \
  "id:'900015', \
  phase:1, \
  t:none, \
  setvar:'tx.dos_burst_time_slice=60', \
  setvar:'tx.dos_counter_threshold=300', \
  setvar:'tx.dos_block_timeout=600', \
  nolog, \
  pass"

This works and it is blocking some very aggressive bots the way it should.
But there is a problem. I have occasionally been getting lines like this in
the log:

Warning. Operator GE matched 2 at IP:dos_burst_counter. [file
"/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_11_dos_protection.conf"]
[line "44"] [id "981049"] [msg "Potential Denial of Service (DoS) Attack
from 65.55.24.236 - # of Request Bursts: 3"]

This bot was actually bingbot. I am new to mod_security, but my
understanding of my settings is that it shouldn't block until a bot has
requested 300 pages in 60 seconds.

When I check the logs I see that IP 65.55.24.236 has requested 313 pages in
1 hour. In the 60 seconds before the DoS block happening, this IP only
requested 6 pages. This block obviously shouldn't be happening.

I am grossly misunderstanding something, or what can I do to fix this?
Thanks,

Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20130429/f036e620/attachment.html>


More information about the Owasp-modsecurity-core-rule-set mailing list