See this blog post - http://blog.spiderlabs.com/2011/07/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html
Caution: there are several reports that mod_reqtimeoutdoes not issue a 408 status code under various conditions<http://old.nabble.com/-users@httpd--mod_reqtimeout-not-returning-408-td31405422.html>. This means that this implementation described below may not work reliably. http://apache-http-server.18135.n6.nabble.com/users-httpd-mod-reqtimeout-not-returning-408-td4770478.html -- Ryan Barnett Lead Security Researcher Trustwave - SpiderLabs On Feb 16, 2013, at 6:50 AM, "Demin Olivier" <olivier.de...@generali.be<mailto:olivier.de...@generali.be>> wrote: Hello, I'm using the CRS 2.2.7 with mod security 2.7.2 and apache 2.2.14 on Linux Ubuntu. I seem to have troubles with the modsecurity crs 11 slow dos protection.conf from the experimental ruleset. In fact, the reqtimeout module is working fine and fires 408 errors after the specified number of seconds when I don't provide the HTTP header fast enough (I tested that by simply performing manual telnet sessions on the port 80 of my server). But these 408 errors seem not to be intercepted by mod security at all. Indeed, when I enable the maximum debug logs (level 9), nothing is appended in the debug log upon 408 firing: no trace of any rule being checked in that particular case. So it seems that the reqtimeout module returns in a way that prevents mod security from being activated. Did any of you encounter similar problems? Thanks for your help Olivier Demin ########################################### GENERALI BELGIUM NV-SA - Verzekeringen-Assurances Louizalaan 149 Avenue Louise - Brussel 1050 Bruxelles Ondernemingsnummer 0403.262.553 Numéro d'entreprise RPR Brussel - RPM Bruxelles ########################################### This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
