DDOS/DOS Rulesets

[khoata14592]

Hi p0pr0ck5, This project is very cool. I have some questions about rulesets. I wonder if Anomaly score handling Ruleset can prevent DOS/DDOS attack?. If not would you add the DDOS/DOS rulesets in the future? Thanks

[p0pr0ck5]

You can use the existing DDoS rulesets in the OWASP CRS, or write your own ModSecurity rules and translate them using the translation script in tools/modsec2lua-resty-waf.pl

[jayanthkaturi]

@p0pr0ck5 i tried translating DOS ruleset using tools/modsec2lua-resty-waf.pl , i get the following errors

Cannot translate action chain
Cannot translate action drop
Cannot translate action drop

I get the following lua-resty json

{"access":[{"action":"CHAIN","id":"981044","msg":"Denial of Service (DoS) Attack Identified from %{tx.real_ip} (%{tx.dos_block_counter} hits since last alert)","operator":"EQUALS","opts":{"setvar":[{"col":"ip","inc":1,"key":"dos_block_counter","value":1}]},"pattern":1,"vars":[{"parse":{"specific":"DOS_BLOCK"},"storage":1,"type":"IP"}]},{"action":"DENY","id":"981044","operator":"EQUALS","opts":{"expirevar":[{"col":"ip","key":"dos_block_flag","time":60}],"setvar":[{"col":"ip","key":"dos_block_flag","value":"1"},{"col":"tx","key":"dos_block_counter","value":"%{ip.dos_block_counter}"},{"col":"ip","key":"dos_block_counter","value":"0"}]},"pattern":0,"vars":[{"length":1,"parse":{"specific":"DOS_BLOCK_FLAG"},"storage":1,"type":"IP"}]},{"action":"DENY","id":"981045","operator":"EQUALS","opts":{"nolog":1,"setvar":[{"col":"ip","inc":1,"key":"dos_block_counter","value":1}]},"pattern":1,"vars":[{"parse":{"specific":"DOS_BLOCK"},"storage":1,"type":"IP"}]},{"action":"DENY","id":"END_DOS_PROTECTION_CHECKS","op_negated":1,"vars":[{"unconditional":1}]}],"body_filter":[{"action":"IGNORE","id":"981046","operator":"EQUALS","opts":{"nolog":1},"pattern":1,"skip_after":"END_DOS_PROTECTION_CHECKS","vars":[{"parse":{"specific":"DOS_BLOCK"},"storage":1,"type":"IP"}]},{"action":"IGNORE","id":"981047","op_negated":1,"operator":"REGEX","opts":{"nolog":1,"setvar":[{"col":"ip","inc":1,"key":"dos_counter","value":1}]},"pattern":"\\.(jpe?g|png|gif|js|css|ico)$","vars":[{"type":"REQUEST_BASENAME"}]},{"action":"IGNORE","id":"981048","operator":"GREATER","opts":{"deletevar":[{"col":"ip","key":"dos_counter"}],"expirevar":[{"col":"ip","key":"dos_burst_counter","time":"%{tx.dos_burst_time_slice}"}],"nolog":1,"setvar":[{"col":"ip","inc":1,"key":"dos_burst_counter","value":1}]},"pattern":"%{tx.dos_counter_threshold}","vars":[{"parse":{"specific":"DOS_COUNTER"},"storage":1,"type":"IP"}]},{"action":"IGNORE","id":"981049","msg":"Potential Denial of Service (DoS) Attack from %{tx.real_ip} - # of Request Bursts: %{ip.dos_burst_counter}","operator":"GREATER_EQ","opts":{"expirevar":[{"col":"ip","key":"dos_block","time":"%{tx.dos_block_timeout}"}],"setvar":[{"col":"ip","key":"dos_block","value":"1"}]},"pattern":2,"vars":[{"parse":{"specific":"DOS_BURST_COUNTER"},"storage":1,"type":"IP"}]}],"header_filter":[]}

In the wiki you mentioned that if there is any problem while translating, the obtained ruleset's behaviour is unexpected. So is this obtained rule set good or bad?

And, the actions in this rule set are all "CHAIN" and "IGNORE", how can the score be affected when these rules get hit?

[p0pr0ck5]

@krugar100 please don't hijack old, closed bugs. For questions like this, please see our Codewake community page at https://www.codewake.com/p/lua-resty-waf. I have asked a question (and provided a response) on your behalf at https://www.codewake.com/t/translating-modsecurity-ddos-rules.

Also, please make sure you fully understand how the ModSecurity DDoS rules work.