Good $localtime, how many queries have been done by a single ip address?
In my opinion, when it comes to HTTP flooding we will have a problem adjusting the rules, cause it will be hard to determine if it is a valid request or not. In such cases i would prefer using mod_evasive or fail2ban. Just my 2 cents Kind regards Joerg On Tue, Oct 28, 2014 at 11:59 AM, Chaitanya Kumar Tummalapalli < ctummalapa...@qatarairways.com.qa> wrote: > Hello, > > > > We faced a DDOS Attack on our web site very recently. The nature of attack > is a HTTP Flood Attack which raised our bandwidth utilization form 2MBPS to > 20 MBPS > > > > We have CDN edge caching servers for content delivery to the end user. > > > > There are around 1.2 Million requests made to the apache web server in 20 > minutes with one specific pattern. > > > > For ex: http://www.abc.com/index.html?~77462375 > > > > Request appended with query string with random sequence number. The > Website usually responds with default page for every such request. > > > > But within no time the web servers resources got exhausted and was unable > to respond. Leading to total downtime. > > > > I have attached a white paper which describes about similar attacks which > we have undergone. > > > > We need a rule from mod_security crs which can defend the attack and drop > such kind of requests. > > > > *Regards,* > > *Chaitanya* > > > Qatar Airways - Proud member of the *one*world alliance. > > *[image: OW LOGO]* > > Disclaimer:- This message (including attachments) is intended solely for > the addressee named above. It may be confidential, privileged, subject to > copyright, trade secret, or other legal rules and may not be forwarded > without the author's permission. If you are not the addressee you must not > read, copy or disseminate this message. If you have received it in error > please notify the sender immediately and delete the message from all > storage devices. Any opinions expressed in this message do not necessarily > represent the official positions of Qatar Airways. Any agreements > (including any warranties, representations, or offers) concluded with Qatar > Airways by using electronic correspondence shall only come into existence > if an authorized representative of Qatar Airways has explicitly approved > such contract formation. To the fullest extent permissible by law, Qatar > Airways disclaim all liability for loss or damage to person or property > arising from this message being infected by computer virus or other > contamination. > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
