FYI - updated the CRS 10 config file to add in this logic and uploaded it to
SVN -
http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/modsecurity_crs_10_config.conf.example?revision=1772
#
# -=[ Global and IP Collections ]=-
#
# Create both Global and IP collections for rules to use
# There are some CRS rules that assume that these two collections
# have already been initiated.
#
SecRule REQUEST_HEADERS:User-Agent "^(.*)$"
"phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_var}"
SecRule REQUEST_HEADERS:x-forwarded-for
"^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
"phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
SecRule &TX:REAL_IP "!@eq 0"
"phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%{tx.ua_hash}"
SecRule &TX:REAL_IP "@eq 0"
"phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash}"
The new rules will grab the first IP address listed in an X-Forwared-For header
and use that for the IP collection key. If X-Forwarded-For is not present,
then it will use REMOTE_ADDR.
Thanks for the suggestion!
-Ryan
On 4/28/11 8:19 PM, "Oleg Gryb"
<[email protected]<mailto:[email protected]>> wrote:
I've just realized that there might be a problem with relying on that header: if
an attacker intentionally sends different random IPs in there, DoS protection
can be efficiently by-passed. In my case it should not happen, because an LB is
the one who adds the header, but in general we should warn engineers about the
possible exploit.
Actually, even in LB case: if a request has already had the header, LB will
create a new one with the existing value appended to the client IP:
x-forwarded-for: real-client-ip, whatever-client-sent-to-LB
It means that we would need to rely on the the first IP in the list, everything
else should be considered as untrusted.
Thanks,
Oleg.
----- Original Message ----
From: Ryan Barnett <[email protected]<mailto:[email protected]>>
To: Oleg Gryb <[email protected]<mailto:[email protected]>>;
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Cc:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Sent: Thu, April 28, 2011 4:41:14 PM
Subject: Re: [Mod-security-developers] CRS DoS protection & x-forwarded-for
header
Thanks for the updates Oleg! This will certainly be a useful update to
not only the DoS rules buy any rules that will be based on the client IP.
I will actually go back to check other uses of REMOTE_ADDR and see if we
can swap it for tx.real_ip instead.
I will add this to the CRS v2.2.0 that I am working on.
For future reference - here is the OWASP CRS mail-list -
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
--
Ryan Barnett
Senior Security Researcher
Trustwave - SpiderLabs
On 4/28/11 7:32 PM, "Oleg Gryb"
<[email protected]<mailto:[email protected]>> wrote:
>I'm not sure if I can discuss CRS rules here. If not, please let me know
>what
>the right place is. I want to suggest an improvement to DoS protection in
>CRS
>2.1.2. The problem is that enterprise applications usually run behind
>load
>balancers, so relying on remote_addr doesn't make too much sense, because
>you'll
>always have an LB's IP in there.
>
>
>My improved rules (attached) check for x-forwarded-for header and if
>it's
>present, this IP will be used to initialize IP collection. If it's not
>then the
>old logic will be used.
>
>It would be great if we can include this improvement to the next CRS
>release.
>
>Thanks,
>Oleg.
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
mod-security-developers mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
mod-security-developers mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/mod-security-developers
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/spiderLabs.php
________________________________
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
