Re: [Owasp-modsecurity-core-rule-set] [Mod-security-developers] CRS DoS protection & x-forwarded-for header

[Ryan Barnett]

Good point about IPv6.  Looks like we could still do this using the same #
of SecRules and just not using an IP regex like this -

SecRule REQUEST_HEADERS:User-Agent "^(.*)$"
"phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_v
ar}"
SecRule REQUEST_HEADERS:x-forwarded-for "^(.*?),?.*$"
"phase:1,t:none,pass,nolog,setvar:tx.real_ip=%{matched_var}"

SecRule &TX:REAL_IP "@eq 0"
"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}_
%{tx.ua_hash},,setvar:tx.real_ip=%{remote_addr}"
SecRule &TX:REAL_IP "!@eq 0"
"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_%
{tx.ua_hash}"



--
Ryan



On 5/6/11 1:16 PM, "Oleg Gryb" <oleg_g...@yahoo.com> wrote:

>Ryan,
>
>Thanks for the update. It might have problems with IPv6 though. Here are
>my rules: they search for ',' and disregard the IP structure:
>
>
>SecRule REQUEST_HEADERS:User-Agent "^(.*)$"
>"phase:1,t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_hash=%{matched_
>var}"
>SecRule REQUEST_HEADERS:x-forwarded-for "^(.*)$"
>"phase:1,t:none,pass,nolog,setvar:tx.real_ip=%{matched_var}"
>SecRule TX:REAL_IP "^(.*?),.*$"
>"phase:1,t:none,pass,nolog,capture,setvar:tx.real_ip=%{TX.1}"
>
>SecRule &TX:REAL_IP "@eq 0"
>"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}
>_%{tx.ua_hash},,setvar:tx.real_ip=%{remote_addr}"
>SecRule &TX:REAL_IP "!@eq 0"
>"phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{tx.real_ip}_
>%{tx.ua_hash}"
>
>Thanks,
>Oleg.
>
>--- On Thu, 5/5/11, Ryan Barnett <rbarn...@trustwave.com> wrote:
>
>> From: Ryan Barnett <rbarn...@trustwave.com>
>> Subject: Re: [Mod-security-developers] CRS DoS protection &
>>x-forwarded-for header
>> To: "Oleg Gryb" <o...@gryb.info>,
>>"mod-security-develop...@lists.sourceforge.net"
>><mod-security-develop...@lists.sourceforge.net>
>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org"
>><owasp-modsecurity-core-rule-set@lists.owasp.org>
>> Date: Thursday, May 5, 2011, 10:46 AM
>> FYI - updated the CRS 10 config file
>> to add in this logic and uploaded it to SVN -
>>
>>http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/mod
>>security_crs_10_config.conf.example?revision=1772
>>
>> #
>> # -=[ Global and IP Collections ]=-
>> #
>> # Create both Global and IP collections for rules to use
>> # There are some CRS rules that assume that these two
>> collections
>> # have already been initiated.
>> #
>> SecRule REQUEST_HEADERS:User-Agent "^(.*)$"
>>
>>"phase:1,id:'981217',t:none,pass,nolog,t:sha1,t:hexEncode,setvar:tx.ua_ha
>>sh=%{matched_var}"
>> SecRule REQUEST_HEADERS:x-forwarded-for
>> "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b"
>>
>>"phase:1,id:'981225',t:none,pass,nolog,capture,setvar:tx.real_ip=%{tx.1}"
>> SecRule &TX:REAL_IP "!@eq 0"
>>
>>"phase:1,id:'981226',t:none,pass,nolog,initcol:global=global,initcol:ip=%
>>{tx.real_ip}_%{tx.ua_hash}"
>> SecRule &TX:REAL_IP "@eq 0"
>>
>>"phase:1,id:'981218',t:none,pass,nolog,initcol:global=global,initcol:ip=%
>>{remote_addr}_%{tx.ua_hash}"
>>
>> The new rules will grab the first IP address listed in an
>> X-Forwared-For header and use that for the IP collection
>> key.  If X-Forwarded-For is not present, then it will
>> use REMOTE_ADDR.
>>
>> Thanks for the suggestion!
>>
>> -Ryan
>>
>>
>> On 4/28/11 8:19 PM, "Oleg Gryb"
>><oleg_g...@yahoo.com<mailto:oleg_g...@yahoo.com>>
>> wrote:
>>
>> I've just realized that there might be a problem with
>> relying on that header: if
>> an attacker intentionally sends different random IPs in
>> there, DoS protection
>> can be efficiently by-passed. In my case it should not
>> happen, because an LB is
>> the one who adds the header, but in general we should warn
>> engineers about the
>> possible exploit.
>>
>>
>> Actually, even in LB case: if a request has already had the
>> header, LB will
>> create a new one with the existing value appended to the
>> client IP:
>>
>> x-forwarded-for: real-client-ip,
>> whatever-client-sent-to-LB
>>
>> It means that we would need to rely on the the first IP in
>> the list, everything
>> else should be considered as untrusted.
>>
>> Thanks,
>> Oleg.
>>
>>
>> ----- Original Message ----
>> From: Ryan Barnett
>><rbarn...@trustwave.com<mailto:rbarn...@trustwave.com>>
>> To: Oleg Gryb <o...@gryb.info<mailto:o...@gryb.info>>;
>>
>>"mod-security-develop...@lists.sourceforge.net<mailto:mod-security-develo
>>p...@lists.sourceforge.net>"
>>
>><mod-security-develop...@lists.sourceforge.net<mailto:mod-security-develo
>>p...@lists.sourceforge.net>>
>> Cc:
>>"owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity
>>-core-rule-...@lists.owasp.org>"
>>
>><owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity
>>-core-rule-...@lists.owasp.org>>
>> Sent: Thu, April 28, 2011 4:41:14 PM
>> Subject: Re: [Mod-security-developers] CRS DoS protection
>> & x-forwarded-for
>> header
>> Thanks for the updates Oleg!  This will certainly be a
>> useful update  to
>> not only the DoS rules buy any rules that will be based on
>> the client  IP.
>> I will actually go back to check other uses of REMOTE_ADDR
>> and see if  we
>> can swap it for tx.real_ip instead.
>> I will add this to the CRS  v2.2.0 that I am working
>> on.
>> For future reference - here is the OWASP CRS
>> mail-list -
>> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>> --
>> Ryan  Barnett
>> Senior Security Researcher
>> Trustwave -  SpiderLabs
>> On 4/28/11 7:32 PM, "Oleg Gryb"
>><oleg_g...@yahoo.com<mailto:oleg_g...@yahoo.com>>
>> wrote:
>> >I'm not sure if I can discuss CRS rules here. If not,
>> please  let me know
>> >what
>> >the right place is. I want to suggest an
>> improvement to DoS protection in
>> >CRS
>> >2.1.2. The problem is that  enterprise
>> applications usually run behind
>> >load
>> >balancers, so  relying on remote_addr doesn't make
>> too much sense, because
>> >you'll
>> >always have an LB's IP in there.
>> >
>> >
>> >My improved  rules (attached)  check for
>> x-forwarded-for header and if
>> >it's
>> >present, this IP will be used to initialize IP
>> collection. If it's  not
>> >then the
>> >old logic will be used.
>> >
>> >It would be  great if we can include this
>> improvement to the next  CRS
>> >release.
>> >
>> >Thanks,
>> >Oleg.
>>
>>-------------------------------------------------------------------------
>>-----
>> WhatsUp  Gold - Download Free Network Management
>> Software
>> The most intuitive,  comprehensive, and cost-effective
>> network
>> management toolset available  today.  Delivers
>> lowest initial
>> acquisition cost and overall TCO of any
>> competing  solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> mod-security-developers  mailing list
>>
>>mod-security-develop...@lists.sourceforge.net<mailto:mod-security-develop
>>e...@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity  Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>>
>>-------------------------------------------------------------------------
>>-----
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective
>> network
>> management toolset available today.  Delivers lowest
>> initial
>> acquisition cost and overall TCO of any competing
>> solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> mod-security-developers mailing list
>>
>>mod-security-develop...@lists.sourceforge.net<mailto:mod-security-develop
>>e...@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>>
>>
>>
>> ________________________________
>> This transmission may contain information that is
>> privileged, confidential, and/or exempt from disclosure
>> under applicable law. If you are not the intended recipient,
>> you are hereby notified that any disclosure, copying,
>> distribution, or use of the information contained herein
>> (including any reliance thereon) is STRICTLY PROHIBITED. If
>> you received this transmission in error, please immediately
>> contact the sender and destroy the material in its entirety,
>> whether in electronic or hard copy format.
>>
>>
>


This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set