Add DoS prevention code #416

Open
rcbarnett opened this Issue Oct 17, 2013 · 5 comments

Comments

Projects
None yet
2 participants
Contributor

rcbarnett commented Oct 17, 2013

MODSEC-265: Add in new DoS prevention code similar to mod_evasive which keeps an internal hash table of IP address connection limits -
http://www.zdziarski.com/blog/?page_id=442

Look at the mod_evasive20.c file. We could add similarly named directives -

SecDOSHashTableSize 3097
SecDOSPageCount 2
SecDOSSiteCount 50
SecDOSPageInterval 1
SecDOSSiteInterval 1
SecDOSBlockingPeriod 10

I would suggest that we also add a directive such as - SecDOSWhitelistURLs - where the user can specify URLs to exclude

Contributor

rcbarnett commented Oct 17, 2013

Original reporter: rbarnett

Contributor

rcbarnett commented Oct 17, 2013

marcstern: Questions:

  1. What's the interest to duplicate mod_evasive?
    Do you plan any additional features?
    mod_evasive is missing per location settings, but this could be added in this module.
  2. What can't we do for the moment with the IP collection?
    Is it only to simplify things or do you see a major performance gain.
    Actually, we are missing one collection to perform everything that mod_evasive does, but adding custom collections would solve that in a generic way (that would be benefical for a lot of other situations).
Contributor

rcbarnett commented Oct 17, 2013

marcstern: Is it a good idea to duplicate other modules functionalities?
You have also mod_req_timeout, mod_qos, etc.
Isn't it better to focus on core functionalities that are not covered by other modules?

@ghost ghost assigned zimmerle Oct 17, 2013

Contributor

rcbarnett commented Oct 17, 2013

rbarnett: @marc - we have discussed implementing DoS/DDoS detection code in ModSecurity for some time. It is a core issue and something that we should be able to address. The issue with using IP collections are:

  1. Performance - the current implementation works but is not performant. We need to be able to keep internal state for sites with large amounts of traffic
  2. Ease of usage - using persistent storage today is not easy for the average user. By baking in DoS/DDoS capabilities directly into core ModSec functionality with a module, it will be easier for users to configure and understand.

I agree with you that mimicking the current mod_evasive functionality is not enough. It should be improved upon. I also think that this is a capability that modsecurity should have itself and users should not have to install another module to gain the functionality.

@zimmerle zimmerle added this to the v2.8.1-RC1 milestone Mar 28, 2014

@zimmerle zimmerle removed this from the v2.8.1-RC1 milestone Nov 14, 2014

Contributor

rcbarnett commented Dec 4, 2014

For reference - here is a similar module in Nginx - http://nginx.org/en/docs/http/ngx_http_limit_req_module.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment