Hi We are mitigating this with rate-limiting in Nginx, which acts as reverse proxies in front of our application webservers.
Med venlig hilsen/Regards Søren Christian Aarup DBA/System Administrator LinkedIn: www.linkedin.com/in/aarup<http://www.linkedin.com/in/aarup> [DIBS - Payments made easy]<http://www.dibs.dk/> From: Joerg Stephan <joerg.step...@owasp.org<mailto:joerg.step...@owasp.org>> Date: Tuesday28October2014 15:33 To: Chaitanya Kumar Tummalapalli <ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>> Cc: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: Re: [Owasp-modsecurity-core-rule-set] Require Mod_Security rule for preventing random query sting DOS attacks Good $localtime, how many queries have been done by a single ip address? In my opinion, when it comes to HTTP flooding we will have a problem adjusting the rules, cause it will be hard to determine if it is a valid request or not. In such cases i would prefer using mod_evasive or fail2ban. Just my 2 cents Kind regards Joerg On Tue, Oct 28, 2014 at 11:59 AM, Chaitanya Kumar Tummalapalli <ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>> wrote: Hello, We faced a DDOS Attack on our web site very recently. The nature of attack is a HTTP Flood Attack which raised our bandwidth utilization form 2MBPS to 20 MBPS We have CDN edge caching servers for content delivery to the end user. There are around 1.2 Million requests made to the apache web server in 20 minutes with one specific pattern. For ex: http://www.abc.com/index.html?~77462375 Request appended with query string with random sequence number. The Website usually responds with default page for every such request. But within no time the web servers resources got exhausted and was unable to respond. Leading to total downtime. I have attached a white paper which describes about similar attacks which we have undergone. We need a rule from mod_security crs which can defend the attack and drop such kind of requests. Regards, Chaitanya Qatar Airways - Proud member of the oneworld alliance. [OW LOGO] Disclaimer:- This message (including attachments) is intended solely for the addressee named above. It may be confidential, privileged, subject to copyright, trade secret, or other legal rules and may not be forwarded without the author's permission. If you are not the addressee you must not read, copy or disseminate this message. If you have received it in error please notify the sender immediately and delete the message from all storage devices. Any opinions expressed in this message do not necessarily represent the official positions of Qatar Airways. Any agreements (including any warranties, representations, or offers) concluded with Qatar Airways by using electronic correspondence shall only come into existence if an authorized representative of Qatar Airways has explicitly approved such contract formation. To the fullest extent permissible by law, Qatar Airways disclaim all liability for loss or damage to person or property arising from this message being infected by computer virus or other contamination. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
