Hello Joerg, Thanks for your reply.
In our analysis of access logs the attacker has used 436 IP’s (botnets) to generate this 1.2 million requests with random number queries. Within 20 minutes time. So on an average we have got 2750 requests from one single IP. Our web site which was under attack has maximum of 45 valid known query strings and beyond them can be treated as spurious like below 122.226.28.22, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?953341233 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11" 120.28.113.179, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?2110115717 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5" 93.183.239.56, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-404454353 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1" 221.178.236.122, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-304549227 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0" 117.25.192.227, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-1186515202 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1" 60.174.55.148, 23.212.108.70, 2.18.243.13 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-16740259 HTTP/1.1" 200 2797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 218.63.78.48, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-441220308 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5" 183.63.45.186, 23.212.108.73 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-1330852491 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0" 213.148.184.156, 23.212.108.63, 2.18.243.13 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-1092903431 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11" 61.133.234.21, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?-1925985494 HTTP/1.1" 200 2797 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02" 125.74.189.77, 23.212.108.67 - - [21/Oct/2014:10:00:26 +0300] "GET /index.html?1261388031 HTTP/1.1" 200 2797 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 3.5.30729)" Vaild query string will look like this 82.79.99.142, 81.196.26.231, 80.239.171.212 - - [28/Oct/2014:16:56:01 +0300] "GET /index.html?q=ro/en HTTP/1.1" 200 So can we think of a rule which drops the requests like /index.html?953341233 this. Or if it can be achieved by mod_evasive . Sorry I’m new to mod_evasive. Could you please elaborate on how to use it. Chaitanya Kumar Tummalapalli TS Controller I n f o r m a t i o n T e c h n o l o g y M : ( + 9 7 4 ) 3 3 6 9 - 0915 | P : ( + 9 7 4 ) 4022 - 7486 | (ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>) W o r l d ' s 5 - s t a r a i r l i n e | www. q a t a r a i r w a y s . c o m From: Joerg Stephan [mailto:joerg.step...@owasp.org] Sent: 28 October 2014 4:34 PM To: Chaitanya Kumar Tummalapalli Cc: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: [Owasp-modsecurity-core-rule-set] Require Mod_Security rule for preventing random query sting DOS attacks Good $localtime, how many queries have been done by a single ip address? In my opinion, when it comes to HTTP flooding we will have a problem adjusting the rules, cause it will be hard to determine if it is a valid request or not. In such cases i would prefer using mod_evasive or fail2ban. Just my 2 cents Kind regards Joerg On Tue, Oct 28, 2014 at 11:59 AM, Chaitanya Kumar Tummalapalli <ctummalapa...@qatarairways.com.qa<mailto:ctummalapa...@qatarairways.com.qa>> wrote: Hello, We faced a DDOS Attack on our web site very recently. The nature of attack is a HTTP Flood Attack which raised our bandwidth utilization form 2MBPS to 20 MBPS We have CDN edge caching servers for content delivery to the end user. There are around 1.2 Million requests made to the apache web server in 20 minutes with one specific pattern. For ex: http://www.abc.com/index.html?~77462375 Request appended with query string with random sequence number. The Website usually responds with default page for every such request. But within no time the web servers resources got exhausted and was unable to respond. Leading to total downtime. I have attached a white paper which describes about similar attacks which we have undergone. We need a rule from mod_security crs which can defend the attack and drop such kind of requests. Regards, Chaitanya Qatar Airways - Proud member of the oneworld alliance. [Image removed by sender. OW LOGO] Disclaimer:- This message (including attachments) is intended solely for the addressee named above. It may be confidential, privileged, subject to copyright, trade secret, or other legal rules and may not be forwarded without the author's permission. If you are not the addressee you must not read, copy or disseminate this message. If you have received it in error please notify the sender immediately and delete the message from all storage devices. Any opinions expressed in this message do not necessarily represent the official positions of Qatar Airways. Any agreements (including any warranties, representations, or offers) concluded with Qatar Airways by using electronic correspondence shall only come into existence if an authorized representative of Qatar Airways has explicitly approved such contract formation. To the fullest extent permissible by law, Qatar Airways disclaim all liability for loss or damage to person or property arising from this message being infected by computer virus or other contamination. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
