Add DoS prevention code

[rcbarnett-zz]

MODSEC-265: Add in new DoS prevention code similar to mod_evasive which keeps an internal hash table of IP address connection limits - http://www.zdziarski.com/blog/?page_id=442

Look at the mod_evasive20.c file. We could add similarly named directives -

SecDOSHashTableSize 3097 SecDOSPageCount 2 SecDOSSiteCount 50 SecDOSPageInterval 1 SecDOSSiteInterval 1 SecDOSBlockingPeriod 10

I would suggest that we also add a directive such as - SecDOSWhitelistURLs - where the user can specify URLs to exclude

[rcbarnett-zz]

Original reporter: rbarnett

[rcbarnett-zz]

marcstern: Questions:

1. What's the interest to duplicate mod_evasive? Do you plan any additional features? mod_evasive is missing per location settings, but this could be added in this module.
2. What can't we do for the moment with the IP collection? Is it only to simplify things or do you see a major performance gain. Actually, we are missing one collection to perform everything that mod_evasive does, but adding custom collections would solve that in a generic way (that would be benefical for a lot of other situations).

[rcbarnett-zz]

marcstern: Is it a good idea to duplicate other modules functionalities? You have also mod_req_timeout, mod_qos, etc. Isn't it better to focus on core functionalities that are not covered by other modules?

[rcbarnett-zz]

rbarnett: @Marc - we have discussed implementing DoS/DDoS detection code in ModSecurity for some time. It is a core issue and something that we should be able to address. The issue with using IP collections are:

1) Performance - the current implementation works but is not performant. We need to be able to keep internal state for sites with large amounts of traffic 2) Ease of usage - using persistent storage today is not easy for the average user. By baking in DoS/DDoS capabilities directly into core ModSec functionality with a module, it will be easier for users to configure and understand.

I agree with you that mimicking the current mod_evasive functionality is not enough. It should be improved upon. I also think that this is a capability that modsecurity should have itself and users should not have to install another module to gain the functionality.

[rcbarnett-zz]

For reference - here is a similar module in Nginx - http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

[hamzasaeed2029]

I deployed modsecurity as default with crs and it did not protect me from DOS attack which I tried with "hulk" tool. Nothing showed up on logs (debug.log,access.log or error log) Kindly help.

[zimmerle]

I deployed modsecurity as default with crs and it did not protect me from DOS attack which I tried with "hulk" tool. Nothing showed up on logs (debug.log,access.log or error log) Kindly help.

Hi @hamzasaeed2029 you may want to open the issue on the CRS project, they will be able to help you with the CRS rules.

[hamzasaeed2029]

I deployed modsecurity as default with crs and it did not protect me from DOS attack which I tried with "hulk" tool. Nothing showed up on logs (debug.log,access.log or error log) Kindly help.

Hi @hamzasaeed2029 you may want to open the issue on the CRS project, they will be able to help you with the CRS rules.

I think I haven't set the parameters. let me first try doing that. Thanks for being helpful