Hi Breno, Could explain the term "bad connection" a bit? Ryan's blog post implies a client IP is considered bad when it has too many connections in read state. Your entry in the CHANGES document reads, "Add SecReadStateLimit to limit the number of BUSY connections".
I can't see why a proxy can't have a lot of legitimate connections in read state. AFAIK Request Body reading is also considered "read". So uploads can remain in READ for a certain time - depending on service. I do not want to pester you too much, but I just want to make sure I get this correctly - and people are aware that telling good from bad connections is very tricky. Especially when it comes to request delaying and you want to make sure you are not locking legitimate users. Best Regs, Christian Von: Breno Silva [mailto:[email protected]] Gesendet: Mittwoch, 24. November 2010 13:20 An: Folini Christian, IT222 extern Cc: [email protected]; [email protected]; [email protected] Betreff: Re: [mod-security-users] [Owasp-modsecurity-core-rule-set] Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks Hi Christian, The SecReadStateLimit is not only a threshold for ip address. It is looking for an "anomaly" in connection process. So if you are behind a proxy or a NAT only the bad connections will be dropped. The good ones will pass normally. So legit connections behind the proxy will works fine. Thanks Breno On Wed, Nov 24, 2010 at 1:17 AM, <[email protected]<mailto:[email protected]>> wrote: Hi Ryan, Nice post. Thanks. Especially the combination of mod_reqtimeout and ModS is very elegant in my eyes. I am not so happy with SecReadStateLimit looking only at the IP address. How do protect proxies from your countermeasures? A proxy might share multiple hundred legitimate connections with your server for multiple hundred legitimate clients, all appearing to come from the same IP address. Regs, Christian -----Ursprüngliche Nachricht----- Von: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] Im Auftrag von Ryan Barnett Gesendet: Mittwoch, 24. November 2010 02:45 An: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Betreff: [Owasp-modsecurity-core-rule-set] Advanced Topic of the Week: Mitigating Slow HTTP DoS Attacks This week's blog post - http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html -- Ryan Barnett Senior Security Researcher Trustwave - SpiderLabs _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected]<mailto:[email protected]> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ------------------------------------------------------------------------------ Increase Visibility of Your 3D Game App & Earn a Chance To Win $500! Tap into the largest installed PC base & get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev _______________________________________________ mod-security-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
