Closed rcbarnett-zz closed 4 years ago
Original reporter: rbarnett
marcstern: Questions:
marcstern: Is it a good idea to duplicate other modules functionalities? You have also mod_req_timeout, mod_qos, etc. Isn't it better to focus on core functionalities that are not covered by other modules?
rbarnett: @Marc - we have discussed implementing DoS/DDoS detection code in ModSecurity for some time. It is a core issue and something that we should be able to address. The issue with using IP collections are:
1) Performance - the current implementation works but is not performant. We need to be able to keep internal state for sites with large amounts of traffic 2) Ease of usage - using persistent storage today is not easy for the average user. By baking in DoS/DDoS capabilities directly into core ModSec functionality with a module, it will be easier for users to configure and understand.
I agree with you that mimicking the current mod_evasive functionality is not enough. It should be improved upon. I also think that this is a capability that modsecurity should have itself and users should not have to install another module to gain the functionality.
For reference - here is a similar module in Nginx - http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
I deployed modsecurity as default with crs and it did not protect me from DOS attack which I tried with "hulk" tool. Nothing showed up on logs (debug.log,access.log or error log) Kindly help.
I deployed modsecurity as default with crs and it did not protect me from DOS attack which I tried with "hulk" tool. Nothing showed up on logs (debug.log,access.log or error log) Kindly help.
Hi @hamzasaeed2029 you may want to open the issue on the CRS project, they will be able to help you with the CRS rules.
I deployed modsecurity as default with crs and it did not protect me from DOS attack which I tried with "hulk" tool. Nothing showed up on logs (debug.log,access.log or error log) Kindly help.
Hi @hamzasaeed2029 you may want to open the issue on the CRS project, they will be able to help you with the CRS rules.
I think I haven't set the parameters. let me first try doing that. Thanks for being helpful
MODSEC-265: Add in new DoS prevention code similar to mod_evasive which keeps an internal hash table of IP address connection limits - http://www.zdziarski.com/blog/?page_id=442
Look at the mod_evasive20.c file. We could add similarly named directives -
SecDOSHashTableSize 3097 SecDOSPageCount 2 SecDOSSiteCount 50 SecDOSPageInterval 1 SecDOSSiteInterval 1 SecDOSBlockingPeriod 10
I would suggest that we also add a directive such as - SecDOSWhitelistURLs - where the user can specify URLs to exclude